
L Number 


Hits 


Search Text 


DB 


Time stamp 




33 


(protect$3 with (storage or repository or 
database) ) and (migrat$ with key) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


16: 


23 




24 


( (protect$3 with (storage or repository or 
database)) and (migrat$ with key)) and 
(tree or hierarch$) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


16: 


24 




23 


( ( (protect$3 with (storage or repository 
or database) ) and (migrat$ with key) ) and 
(tree or hierarch$) ) and load$3 and 
(migrat$5 with key) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


16: 


32 




24 


( ( (protect$3 with (storage or repository 
or database) ) and (migrat$ with key) ) and 
(tree or hierarch$) ) and (migrat$5 with 
key) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


16: 


33 




21 


(trust$3 with system) and (migrat$5 with 
key) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


16: 


34 




16 


(trust$3 with system) and (migrat$5 with 
key) and (tree or hierarch$) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


17: 


03 




9573 


privat$ with key 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


17: 


03 




620 


migrat$5 with key 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


17: 


04 




51 


(privat$ with key) and (migrat$5 with key) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


17: 


04 




47 


( (privat$ with key) and (migrat$5 with 
key) ) and (storage or repository) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/10 


17: 


04 




35 


( ( (privat$ with key) and (migrat$5 with 
key) ) and (storage or repository) ) and 
trust$3 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


22 




2 


("6182212") .PN. 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


23 




1 


("6668323") .PN. 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


25 




2 


("6598032") .PN. 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


25 



Search History 1/11/04 2:46:37 PM " Page 1 

C: \APPS\east\workspaces\defaultworkspacelayout . wsp 



• # 





1 


851956. apn. 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09 


29 




1 


248791. apn. 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09 


29 




383 


"credit card" and migrat$5 and encryp$5 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


30 




244 


("credit card" and migrat$5 and encryp$5) 
and key and (storage or repository) and 
(tree or hierarch$) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT ; 
IBM TDB 


2004/01/11 


09: 


30 




163 


{("credit card" and migrat$5 and encryp$5) 
and key and (storage or repository) and 
(tree or hierarch$) ) and trust$3 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


30 




113 


((("credit card" and migrat$5 and 
encryp$5) and key and (storage or 
repository) and (tree or hierarch$) ) and 
trust$3) and RSA 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


31 




72 


(((("credit card" and migrat$5 and 
encryp$5) and key and (storage or 
repository) and (tree or hierarch$) ) and 
trust$3) and RSA) and SSL 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


31 




5 


(((("credit card" and migrat$5 and 
encryp$5) and key and (storage or 
repository) and (tree or hierarch$) ) and 
trust$3) and RSA) and TPM 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


31 




6 


((("credit card" and migrat$5 and 
encryp$5) and key and (storage or 
repository) and (tree or hierarch$) ) and 
trust$3) and TPM 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


42 




78 


migration and lock$3 and privat$3 and 
(tree or hierarch$) and (key with 
encrypt$) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


44 




62 


(migration and lock$3 and privat$3 and 
(tree or hierarch$) and (key with 
encrypt$) ) and trust$ 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


44 




61 


( (migration and lock$3 and privat$3 and 
(tree or hierarch$) and (key with 
encrypt$)) and trust$) and load$ and 
(storage or repository or database) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


47 




1 


016700. apn. 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


46 




3 


( ( (migration and lock$3 and privat$3 and 
(tree or hierarch$) and (key with 
encrypt$)) and trust$) and load$ and 
(storage or repository or database) ) and 
"2048" 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09: 


47 



Search History 1/11/04 2:46:37 PM Page 2 

C: \APPS\east\workspaces\defaultworkspacelayout . wsp 






48 


( ( (migration and lock$3 and privat$3 and 
(tree or hierarch$) and (key with 
encrypt$) ) and trust$) and load$ and 
(storage or repository or database) ) and 
rsa 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09 


48 




4 


( ( ( (migration and lock$3 and privat$3 and 
(tree or hierarch$) and (key with 
encrypt$)) and trust$) and load$ and 
(storage or repository or database)) and 
rsa) and (lock$3 with key) 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09 


48 




48 


( ( ( (migration and lock$3 and privat$3 and 
(tree or hierarch$) and (key with 
encrypt$) ) and trust$) and load$ and 
(storage or repository or database) ) and 
rsa) and lock$3 


USPAT; 
US-PGPUB; 
EPO; JPO; 
DERWENT; 
IBM TDB 


2004/01/11 


09 


53 



Search History 1/11/04 2:46:37 PM Page 3 

C: \APPS\east\workspaces\defaultworkspacelayout . wsp 



Google Search: trusted computinf|j|atform alliance migratable 




(§) 



Page 1 of 2 




Advanced Search Preferences Language Tools Search Tips 



[ trusted computing platform alliance jj Google Search 



Web - Images ■ Groups - Directory- News ■ 
Searched the web for trusted computing platform alliance migratable. Results 1 - 10 of about 35. Search took 

rppFi Trusted Computing Platform ADMainice (TCPA) Trusted Plaftform Module ... 
File Format: PDF/Adobe Acrobat - View as HTML 

... 1.3 Related Documents Trusted Computing Platform Alliance (TCPA) Main Specification ... state 
the future "trusted" configuration that the platform must be ... 
niap.nist.gov/cc-scheme/PP_TCPATPMPP_V1 .9.7.pdf - Similar pages 

[pdf] Trusted Computing Platform Alliance 
File Format: PDF/Adobe Acrobat - View as HTML 

Trusted Computing Platform Alliance (TCPA) Main Specification Version 1.1b Copyright 
© 2000-2002 Compaq Computer Corporation, Hewlett-Packard Company, IBM ... 
www.redbrick.dcu.ie/-gavin/tcpa/main%20v1 1 b.pdf - Similar pages 

[ppt] Fair Use By Design or By Law? 

File Format: Microsoft Powerpoint 97 - View as HTML 

... Protected storage. Sealing objects to particular software states. Migratable and 
non-migratable objects. ... Examples. Trusted Computing Platform Alliance (TCPA). ... 
cyberlaw.stanford.edu/events/archives/ speakers/Bechtold%20CIS%20slides.ppt - Similar pages 

[pdf] Improving End-user Security and Trustworthiness of TCPA Platforms 
File Format: PDF/Adobe Acrobat - View as HTML 

... 8]. First, all data that was encrypted using a non-migratable key get ... www.counterpane.com/crypto-gram- 
0208.html#1. 

[9] Trusted Computing Platform Alliance (TCPA ... 
www-krypt.cs.uni-sb.de/download/papers/Stuebl2003.pdf - Similar pages 

[pdf] Improving End-user Security and Trustworthiness of TCG-Platforms 
File Format: PDF/Adobe Acrobat - View as HTML 

... While this is no problem with migratable keys, non-migratable keys, eg ... 
www.counterpane.com/crypto-gram-0208.html#1. 
[8] Trusted Computing Platform Alliance (TCPA ... 
www-krypt.cs.uni-sb.de/download/papers/KurStu2003.pdf - Similar pages 

[ppt] Trusted Compytnimg i 

File Format: Microsoft Powerpoint 97 - View as HTML 

... Trusted Computing Platform Alliance. ... if the computer is accepted as a general entertainment 
platform for the ... Trusted Computing could add a few for computers here ... 
zoo.cs.yale.edu/classes/cs457/ Chandana_Wanigasekera.ppt - Similar pages 

heise Security - Know-how - Trusted Computing im Oberblick - [ Translate this page ] 
... designierte Nachfolgeorganisation der Trusted Computing Platform Alliance (TCPA ... Systeme 
integriertes Trusted Platform Module (TPM ... SchlQssel (Non-ftfligratable Keys ... 
www.heise.de/security/artikel/43179 - 26k - Cached - Similar pages 

Trusted Compuftnimg Spaziergang - [ Translate this page ] 

... TCPA: Trusted Computing Platform Alliance. ... Core Root Of Trust Measurement), TSS 
(Trusted 

platform Support Service). ... NGSCB: Next Generation Secure Computing Base. ... 
www.heise.de/ct/Redaktion/ghi/tc/linuxtagTCIinked.html - 35k - Cached - Similar pages 



http://ww.googlexom/search?M 1/10/04 



Google Search: trusted computii^Iatform alliance migratable A Page 2 of 2 



[ More results from www.heise.de 1 

[pdf] Single Sign-On using Trusted Platforms ffiH 

File Format: PDF/Adobe Acrobat - View as HTML 

... 12 Trust Relationships • End usertt IDK0) ... Related Work • Liberty Alliance - 

K-X OBTJ) web ... at el, Trasted Computing Platforms: TCPA ... 
www.sfc.wide.ad.jp/maui/RINKO/resumes/ maui-rinko-20030703-keitamitsuya.pdf - Similar pages 

[ppt] SP collusion 

File Format: Microsoft Powerpoint 97 - View as HTML 

... Reflection attacks^ RS<. I¥L< l*^To . Trust Relationships. ... Related 

Work. Liberty Alliance. ... Boris Balacheff, at el, Trasted Computing Platforms: TCPA. ... 

www.sfc.wide.ad.jp/maui/RINKO/resumes/ maui-rinko-20030703-keitamitsuya.ppt - Similar pages 



Gooogle ► 

Result Page: 12 3 Next 



|trusted computing platform allian ce j Jj^^^j^^^Bf Search within results 



Dissatisfied with your search results? Help us improve. 



Get the Google Toolbar: 



!j Google 



^Search Web 



6 blocked DAut( 



Google Home - Advertise with Us - Business Solutions - Services & Tools - Jobs, Press, & Help 

©2004 Google 



http://ww.googlexom/search?M 1/10/04 



Yahoo! Search Results for rsa kej_?rarchy migration root tcpa 



Page 1 of 2 



"^gSEBoQ|£search 



Search Home - Yahoo! - Hejp 



Your Search: | rsa key hierarchy migration root tcpa 



Yahoo! Search 



Advanced Web Sea r 
Preferences 



Web 



Imag es Director y 



News 



Products 



1- k 



TOP 13 WEB RESULTS out of about 13 ( What's this? ) 



1 TCG - A Introduction (PDF) * 

... storage root key root for decrypted key hierarchy stored in ... key is used as 
Attestation 

Identity Key (AIK) anonymity ... knowledge proof as secure as RSA TCG - A ... 
os.inf.tu-dresden.de/EZAG/abstracts/slides_2003121 2_1 .pdf - View as html 

2. Lecture Notes 12 : TCPA and Palladium Outline 1 Why Trusted ... 

(PDF) 5 

... Keys in this hierarchy-space can be migrateable, or ... necessary for update and 
Palladium 

migration) Attestation Attestation ... Since the Palladium RSA key is unique ... 
theory.lcs.mit.edu/classes/6.857/handouts/L12-tcpa-palladium.pdf - View as html - 
More pages from this site 

3. "A Vendor's Perspective" (PDF) ^ 

... random number generator hashing asymmetric crypto (RSA) key generation for ... 
the SRK 

each member of hierarchy has its ... so SRK is not a 'master' key: SRK-auth ... 
www.netproject.com/presentations/TCPA/stefek_zaba.pdf - View as html 

4. Trusted Computing Platform Alliance (TCPA) Trusted Platform 
Module ... (PDF) 5 

... other keys in the Protected Storage hierarchy, only. ... This test will also test the 
RSA sign and ... TPM Owner Key, TPM owner identification and authentication 
data ... 

niap.nist.gov/cc-scheme/PP_TCPATPMPP_V1 .9.4.pdf - View as html 

5. TCPA TPM Protection Profile Version 197 (PDF) ^ 

... keys in the Protected Storage hierarchy, only. ... identification and authentication 
data, Migration authorization data ... and decryption, and RSA key generation in ... 
https://www.trustedcomputinggroup.org/downloads/tcpa protection profile.pdf - View 
as html - More pages from this site 

6. Packet Storm's last 100 added files. Last Updated: Tue Dec 16 12 ... 

... have a chat session over 2048 bit RSA encryption. ... vulnerability which will 
reveal 

your private key within a ... it simple to work with deep hierarchies of protocols ... 
packetstormsecurity.nl/whatsnew100.txt - 36k - Cached - More pages from this site 

7. A standardised trusted PC component (PDF) S 

... The Subsystem provides a root of trust for the ... used for signing include 
asymmetric 

algorithms (such as RSA). ... both encryption and decryption use the same key). ... 
www.mouling.de/proiects/tcpainfo/lokal/bib/TCPA/designv1 Ofinal.pdf - View as html 



8. Trusted Computin g Platform Alliance (PDF) 5 



http://searchjahooxom/search?p=rsa+key+hierarchy+migration 1/11/04 



Yahoo! Search Results for rsa kdfc^erarchy migration root tcpa A Page 2 of 2 



... Page 4. Page 5. TCPA Main Specification Page v Version 1.1b 22 February 
2002 Table Of Contents 1. Forward ... 30 4.10.1 Mandatory Key Usage Schemes ... 
www.redbrick.dcu.ie/-gavin/tcpa/main%20v1_1b.pdf - View as html 

9. Cryptogra phic Centre of Excellence Issue 5 (PDF) ^ 

... will need to be either part of another hierarchy or a ... of the key to eventu- ally 
deduce 

the entire key. ... put a significant damper on the migration from magnetic ... 

www.pwcglobal.com/Extweb/pwcpublications.nsf/4bd5f76b48e282738525662b00739e22/c185af2b5e83a8i 
1b0054b2e1/$FILE/CCE%20Journal%20-%20lssue%205.pdf 

10. index Linux Magazine ^ - Translate this page 

... DVD-vid6o et d6cryptage avec CSS-key-maker. ... FHS (Linux Standard 
Base/Filesystem 

Hierarchy Standard) : standardiser ... par signature DSS ou RSA - integrity et ... 
eric.gerbier.free.fr/linuxmagjndex.html - 95k - Cached 

11. Chapter 1 (PDF) 5 

... 1 Public Key Certificates ... 2.6.9 TCPA 

www.doc.ic.ac.uk/-tgrand/PhD_Thesis.pdf - View as html 

12. Getting Started with TCP/IP for VSE/ESA 1 .4 (PDF) 5 

42 19. Installing the product key and customer identification 

43 20. ... 

www.e-vse.com/ftp/sg245626.pdf - View as html 

13. Gamma \Gamma (POSTSCRIPT) ^ - Translate this page 

... 20 Dead Keys Tod-Tasten, T. f "ur diakritische Zeichen.Akzent-Tasten ... eines 
Files 

chown "andert Besitzer eines Files chroot "andert Root-Verzeichnis close ... 
www.ciw.uni-karlsruhe.de/skriptum/skriptumA.ps - View as html 



Web Images Directory Yellow Pages News Products 



Your Search: (rsa key hierarchy migration root tcpa 



Yahoo! Search 



Advanced Web 

Search 

Preferences 



Search with your friends with the Yahoo! Search IMVironment 



Copyright © 2004 Yahoo! Inc. All rights reserved. Privacy Policy - Terms of Service - Ad Feedback 
Search Technology provided by Google 



http://search jahooxom/search?p=rsa+key+hier^ . . 1/1 1/04 



US 6,658,568 Bl 



TRUSTED INFRASTRUCTURE SUPPORT 
SYSTEM, METHODS AND TECHNIQUES 
FOR SECURE ELECTRONIC COMMERCE 
TRANSACTION AND RIGHTS 
MANAGEMENT 

CROSS REFERENCE TO RELATED 
APPLICATION 

This application is a continuation in part of commonly 
assigned copending application Ser. No. 08/388,107 of 
Ginter, et al, filed Feb. 13, 1995, entitled "SYSTEMS AND 
METHODS FOR SECURE TRANSACTION MANAGE- 
MENT AND ELECTRONIC RIGHTS PROTECTION," 
(hereafter "Ginter et al"), now abandoned. A file wrapper 
continuation of Application No. 08/388,107 issued as U.S. 
Pat. No. 5,982391. We incorporate by reference, into this 
application, the entire disclosure (including all. of the 
drawings) of this prior-filed Ginter, et aL patent application 
just as if its entire written specification and drawings were 
expressly set forth in this application. 

FIELD OF THE INVENTIONS 

These inventions generally relate to optimally bringing 
the efficiencies of modern computing and networking to the 
administration and support of electronic interactions and 
consequences and further relate to a secure architecture 
enabling distributed, trusted administration for electronic 
commerce. 

These inventions relate, in more detail, to a "Distributed 
Commerce Utility" — a foundation for the administration 
and support of electronic commerce and other electronic 
interaction and relationship environments. 

In still more detail, these inventions generally relate to: 

efficient administration and support of electronic com- 
merce and communications; 

methods and technologies for electronic rights adminis- 
tration and support services; 

techniques and arrangements for distributing administra- 
tion and support services such as secure electronic 
transaction management/administration, electronic 
process control and automation, and clearing functions 
across and/or within an electronic network and/or vir- 
tual distribution environment; and/or pi clearing, 
control, automation, and other administrative, infra- 
structure and support capabilities that collectively 
enable and support the operation of an efficient, secure, 
peer-to-peer collection of commerce participants 
within the human digital community. 

BACKGROUND 

Efficient, effective societies require capabilities enabling 
their inhabitants to control the nature and consequences of 
their participation in interactions. Every community needs 
certain basic services, facilities and installations: 

the post office delivers our mail, 

the schools teach our children, 

the highway department keeps our roads passable and in 

good repair, 
the fire department puts out fires, 
the power company delivers electrical power to our 

homes, 

the telephone company connects people and electronic 
devices near and far and provides directory services 
when you don't know the right number, 



10 



15 



20 



25 



30 



40 



45 



50 



55 



60 



65 



banks keep our money safe, 

cable TV and radio stations deliver news and entertain- 
ment programming to our homes, 
police keep order, 

the sanitation department collects refuse, and 
social services support societal policies for the needy. 
These and other important "behind the scenes" adminis- 
trative and support services provide an underlying base or 
foundation that makes the conveniences and necessities of 
modern life as we know it possible and efficient, and allow 
the wheels of commerce to spin smoothly. 

Suppose you want to buy bread at the local bakery. The 
baker doesn't have to do everything involved in making the 
bread because he can rely on support and administration 
services the community provides. For example: 

The baker doesn't need to grow or mill grain to make flour 
for the bread. Instead, he can purchase flour from a 
■ supplier that delivers it by truck- 
Similarly, the baker doesn't need to grow or produce fuel 
to keep its ovens hot; that fuel can be delivered in pipes 
or tanks by people who specialize in producing and 
supplying fuel. 
You can also have confidence in the cleanliness of the 
local bakery because it displays an inspection notice 
certifying that it has been inspected by the local health 
department. 

Support and administrative services are also very impor- 
tant to ensure that people are compensated for their efforts. 
For example: 

You and the bakery can safely trust the government to 
stand behind the currency you take out of your wallet 
or purse to pay for the bread. 
If you pay by check, the banking system debits the 
amount of your check from your bank account over- 
night and gives the bakery the money. 
If you and the bakery use different banks, your check may 
be handled by an automated "clearinghouse" system 
that allows different banks to exchange checks and 
settle accounts — efficiently transferring money 
between the banks and returning checks drawn on 
accounts that don't have enough money in them. 
If the bakery accepts credit cards as payment, the flex- 
ibility of payment methods accepted in exchange for 
the bakery products is increased and provides increased 
convenience and purchasing power to its customers. 
Such support and administrative services provide great 
economies in terms of scale and scope — making our 
economy much more efficient. For example, these important 
support and administrative services allow the baker to 
concentrate on what he knows how to do best — make and 
bake bread. It is much more efficient for a bakery and its 
experienced bakers to make many loaves of bread in its large 
commercial ovens than it is for individual families to each 
bake individual loaves in their own home ovens, or for the 
growers of grain to also bake the bread and pump the fuel 
needed for baking and accept barter, for example, chickens 
in exchange for the bread. As a result, you and the bakery 
can complete your purchasing transaction with a credit card 
because both you and the bakery have confidence that such 
a payment system works well and can be trusted to "auto- 
matically" function as a highly efficient and convenient basis 
for non-cash transactions. 

The Electronic Community Needs Administrative 
and Support Services 

There is now a worldwide electronic community. Elec- 
tronic community participants need the ability to shape, 



01/11/2004, EAST Version: 1.4.1 



3 



US 6,658,568 Bl 



4 



control, and, in an electronic world, automate, their inter- 
actions. They badly need reliable, secure, trusted support 
and administrative services. 

More and more of the world's commerce is being carried 
on electronically. The Internet— a massive electronic net- 
work of networks that connects millions of computers 
worldwide — is being used increasingly as the vehicle for 
commerce transactions. Fueled largely by easy-to-use inter- 
faces (e.g., those allowing customers to "point and click" on 
items to initiate purchase and then to complete a simple form 
to convey credit card information), the Internet is rapidly 
becoming a focal point for consumer and business to busi- 
ness purchases. It is also becoming a significant "channel" 
for the sale and distribution of all kinds of electronic 
properties and services, including information, software, 
games, and entertainment. 

At the same time, large companies use both private and 
public data networks to connect with their suppliers and 
customers. Driven by apparently inexorable declines in the 
cost of both computing power and network capacity, elec- 
tronic commerce will increase in importance as the world 
becomes more and more computerized. This new electronic 
community — with its widespread electronic commerce — is 
generating great new demands for electronic administrative, 
support and "clearing" services. 

The electronic community badly needs a foundation that 
will support both commercial and personal electronic inter- 
actions and relationships. Electronic commerce on any sig- 
nificant scale will require a dependable, efficient, scaleable, 
and secure network of third party support and administrative 
service providers and mechanisms to facilitate important 
parts of the transaction process. For example: 

People who provide value to the electronic community 
require seamless and efficient mechanisms allowing 
them to be compensated for the value they provide. 
Providers who sell goods or services to the electronic 
community need reliable, efficient electronic payment 
mechanisms to service themselves and other value 
chain participants. 
Purchasers in the electronic marketplace, while often 
unaware of the behind-the-scenes intricacies of pay- 
ment transaction activity, nonetheless require easy to 
use, efficient and flexible interfaces to payment mecha- 
nisms and financial obligation fulfillment systems. 
Rights holders in all types of electronic "content" (for 
example, analog or digital information representing 
text, graphics, movies, animation, images, video, digi- 
tal linear motion pictures, sound and sound recordings, 
still images, software computer programs, data), and to 
many types of electronic control processes, require 
secure, flexible and widely interoperable mechanisms 
for managing their rights and administering their busi- 
ness models, including collecting, when desired, pay- 
ments and relevant usage information for various uses 
of their content. 
All parties require infrastructure support services that 
remain dependable, trusted, and secure even as the 
volume of commerce transactions increases substan- 
tially. 

An important cornerstone of successful electronic trans- 
action management and commerce is therefore the develop- 
ment and operation of a set of administrative and support 
services that support these objectives and facilitate the 
emergence of more diverse, flexible, scaleable, and efficient 
business models for electronic commerce generally. 

The Ginter Patent Specification Describes a 
Comprehensive Solution 

The above-referenced Ginter, et al. patent specification 
describes technology providing unique, powerful capabili- 



ties instrumental to the development of secure, distributed 
transaction-based electronic commerce and rights manage- 
ment. This technology can enable many important, new 
business models and business practices on the part of 

5 electronic commerce participants while also supporting 
existing business models and practices. 

The Ginter et al. specification describes comprehensive 
overall systems and wide arrays of methods, techniques, 
structures and arrangements that enable secure, efficient 

!0 distributed electronic commerce and rights management on 
the Internet (and Intranets), within companies large and 
small, in the living room, and in the home office. Such 
techniques, systems and arrangements bring about an unpar- 
alleled degree of security, reliability, efficiency and flexibil- 

15 ity to electronic commerce and electronic rights manage- 
ment. 

The Ginter, et al. patent specification also describes an 
"Information Utility" — a network of support and adminis- 
trative services, facilities and installations that grease the 
20 wheels of electronic commerce and support electronic trans- 
actions in this new electronic community. For example, 
Ginter, et al. details a wide array of support and adminis- 
trative service providers for interfacing with and supporting 
a secure "Virtual Distribution Environment." These support 
25 and administrative service providers include: 
transaction processors, 
usage analysts, 
report receivers, 
30 report creators, 

system administrators, 
permissioning agents, 
certification authority 
35 content and message repositories, 
financial clearinghouses, 
consumer/author registration systems, 
template libraries, 
40 control structure libraries, 
disbursement systems, 

electronic funds transfer, credit card, paper billing 
systems, and 

receipt, response, transaction and analysis audit systems. 

45 

The Present Inventions Build On and Extend the 
Solutions Described In the Ginter Patent 
Specification 

50 The present inventions build on the fundamental concepts 
described in the Ginter, et al. patent specification while 
extending those inventions to provide further increases in 
efficiency, flexibility and capability. They provide an overlay 
of distributed electronic administrative and support services 

5S (the "Distributed Commerce Utility"). They can, in their 
preferred embodiments, use and take advantage of the 
"Virtual Distribution Environment" (and other capabilities 
described in the Ginter et al patent specification and may be 
layered on top of and expand on those capabilities. 

60 Brief Summary of Some of the Features and 

Advantages of the Present Inventions 

The present inventions provide an integrated, modular 
array of administrative and support services for electronic 
65 commerce and electronic rights and transaction manage- 
ment. These administrative and support services supply a 
secure foundation for conducting financial management, 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



rights management, certificate authority, rules clearing, 
usage clearing, secure directory services, and other transac- 
tion related capabilities functioning over a vast electronic 
network such as the Internet and/or over organization inter- 
nal Intranets, or even in-home networks of electronic appli- 
ances. 

These administrative and support services can be adapted 
to the specific needs of electronic commerce value chains. 
Electronic commerce participants can use these administra- 
tive and support services to support their interests, and can 
shape and reuse these services in response to competitive 
business realities. 

The present inventions provide a "Distributed Commerce 
Utility" having a secure, programmable, distributed archi- 
tecture that provides administrative and support services. 
The Distributed Commerce Utility can make optimally 
efficient use of commerce administration resources, and can 
scale in a practical fashion to accommodate the demands of 
electronic commerce growth. 

The Distributed Commerce Utility may comprise a num- 
ber of Commerce Utility Systems. These Commerce Utility 
Systems provide a web of infrastructure support available to, 
and reusable by, the entire electronic community and/or 
many or all of its participants. 

Different support functions can be collected together in 
hierarchical and/or in networked relationships to suit various 
business models and/or other objectives. Modular support 
functions can be combined in different arrays to form 
different Commerce Utility Systems for different design 
implementations and purposes. These Commerce Utility 
Systems can be distributed across a large number of elec- 
tronic appliances with varying degrees of distribution. The 
comprehensive "Distributed Commerce Utility" provided by 
the present invention: 

Enables practical and efficient electronic commerce and 
rights management. 

Provides services that securely administer and support 
electronic interactions and consequences. 

Provides infrastructure for electronic commerce and other 
forms of human electronic interaction and relation- 
ships. 

Optimally applies the efficiencies of modern distributed 
computing and networking. 

Provides electronic automation and distributed process- 
ing. 

Supports electronic commerce and communications infra- 
structure that is modular, programmable, distributed 
and optimally computerized. 

Provides a comprehensive array of capabilities that can be 
combined to support services that perform various 
administrative and support roles. 

Maximizes benefits from electronic automation and dis- 
tributed processing to produce optimal allocation and 
use of resources across a system or network. 

Is efficieot, flexible, cost effective, configurable, reusable, 
modifiable, and generalizable. 

Can economically reflect users' business and privacy 
requirements. 

Can optimally distribute processes — allowing commerce 
models to be flexible, scaled to demand and to match 
user requirements. 

Can efficiently handle a full range of activities and service 
volumes. 

Can be fashioned and operated for each business model, 
as a mixture of distributed and centralized processes. 



10 



15 



20 



25 



30 



35 



40 



45 



50 



60 



65 



Provides a blend of local, centralized and networked 
capabilities that can be uniquely shaped and reshaped 
to meet changing conditions. 

Supports general purpose resources and is reusable for 
many different models; in place infrastructure can be 
reused by different value chains having different 
requirements. 

Can support any number of commerce and communica- 
tions models. 

Efficiently applies local, centralized and networked 
resources to match each value chain's requirements. 

Sharing of common resources spreads out costs and 
maximizes efficiency. 

Supports mixed, distributed, peer-to-peer and centralized 
networked capabilities. 

Can operate locally, remotely and/or centrally. 

Can operate synchronously, asynchronously, or support 
both modes of operation. 

Adapts easily and flexibly to the rapidly changing sea of 
commercial opportunities, relationships and constraints 
of "Cyberspace." 

In sum, the Distributed Commerce Utility provides 
comprehensive, integrated administrative and support ser- 
vices for secure electronic commerce and other forms of 
electronic interaction. 

Some of the advantageous features and characteristics of 
the Distributed Commerce Utility provided by the present 
inventions include the following: 

The Distributed Commerce Utility supports 
programmable, distributed, and optimally computer- 
ized commerce and communications administration. It 
uniquely provides an array of services that perform 
various administrative and support roles — providing 
the administrative overlay necessary for realizing 
maximum benefits from electronic automation, distrib- 
uted processing, and system (e.g., network) wide opti- 
mal resource utilization. 

The Distributed Commerce Utility is particularly adapted 
to provide the administrative foundation for the 
Internet, organization Intranets, and similar environ- 
ments involving distributed digital information 
creators, users, and service systems. 

The Distributed Commerce Utility architecture provides 
an efficient, cost effective, flexible, configurable, 
reusable, and generalizable foundation for electronic 
commerce and communications administrative and 
support services. Providing these capabilities is critical 
to establishing a foundation for human electronic inter- 
action that supports optimal electronic relationship 
models — both commercial and personal. 

The Distributed Commerce Utility architecture provides 
an electronic commerce and communication support 
services foundation that can be, for any specific model, 
fashioned and operated as a mixture of distributed and 
centralized processes. 

The Distributed Commerce Utility supported models can 
be uniquely shaped and reshaped' to progressively 
reflect optimal blends of local, centralized, and net- 
worked Distributed Commerce Utility administrative 
capabilities. 

The Distributed Commerce Utility's innovative electronic 
administrative capabilities support mixed, distributed, 
peer-to-peer and centralized networked capabilities. 
Collections of these capabilities, can each operate in 
any mixture of local, remote, and central asynchronous 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



8 



and/or synchronous networked combinations that 
together comprise the most commercially 
implementable, economic, and marketable — that is 
commercially desirable — model for a given purpose at 
any given time. 5 

The Distributed Commerce Utility architecture is general 
purpose. It can support any number of commerce and 
communication models which share (e.g., reuse), as 
appropriate, local, centralized, and networked 
resources. As a result, the Distributed Commerce Util- 1Q 
ity optimally enables practical and efficient electronic 
commerce and rights management models that can 
amortize resource maintenance costs through common 
usage of the same, or overlapping, resource base. 

One or more Distributed Commerce Utility commerce 
models may share some or all of the resources of one 
or more other models. One or more models may shift 
the mix and nature of their distributed administrative 
operations to adapt to the demands of Cyberspace — a 
rapidly changing sea of commercial opportunities, 
relationships, and constraints. 20 

The Distributed Commerce Utility supports the processes 
of traditional commerce by allowing their translation 
into electronic commerce processes. The Distributed 
Commerce Utility further enhances these processes 
through its use of distributed processing, rights related 25 
"clearinghouse" administration, security designs, 
object oriented design, administrative smart agents, 
negotiation and electronic decision making techniques, 
and/or electronic automation control techniques as may 
be necessary for efficient, commercially practical elec- 30 
tronic commerce models. 

Certain Distributed Commerce Utility operations 
(financial payment, usage auditing, etc.) can be per- 
formed within participant user electronic appliance 
secure execution spaces such as, for example, "pro- 
tected processing environments" disclosed in Ginter et 
aL 

Distributed clearinghouse operations may be performed 
through "virtually networked and/or hierarchical" ^ 
arrays of Commerce Utility System sites employing a 
general purpose, interoperable (e.g., peer-to-peer) vir- 
tual distribution environment foundation. 

For a given application or model, differing arrays of 
Distributed Commerce Utility Services may be autho- 45 
rized to provide differing kinds of administrative and/or 
support functions. 

Any or all of the roles supported by the Distributed 
Commerce Utility may be performed by, and/or used 
by, the same organization, consortium or other group- 50 
ing of organizations, or other electronic community 
participants, such as individual user web sites. 

One or more parts of the Distributed Commerce Utility 
may be comprised of a network of distributed protected 
processing environments performing one or more roles 55 
having hierarchical and/or peer-to-peer relationships. 

Multiple Distributed Commerce Utility protected process- 
ing environments may contribute to the overall role of 
a service, foundation component, and/or clearinghouse. 

Distributed protected processing environments contribut- 60 
ing to a Distributed Commerce Utility role may be as 
distributed, in a preferred embodiment, as the number 
of VDE participant protected processing environments 
and/or may have specific hierarchical, networked and/ 
or centralized administration and support relationship 65 
(s) to such participant protected processing environ- 
ments. 



35 



In a given model, certain one or more Distributed Com- 
merce Utility roles may be fully distributed, certain 
other one or more roles may be more (e.g., 
hierarchically), and/or fully, centralized, and certain 
other roles can be partially distributed and partially 
centralized. 

The fundamental peer-to-peer control capabilities pro- 
vided by the Distributed Commerce Utility allows for 
any composition of distributed roles that collectively 
provide important, practical, scaleable, and/or essential 
commerce administration, security, and automation ser- 
vices. 

Combinations of Distributed Commerce Utility features, 
arrangements, and/or capabilities can be employed in 
programmable mixtures of distributed and centralized 
arrangements, with various of such features, 
arrangements, and capabilities operating in end-user 
protected processing environments and/or "middle" 
foundation protected processing environments (local, 
regional, class specific, etc.) and/or centralized service 
protected processing environments. 

The Distributed Commerce Utility is especially useful to 
support the Internet and other electronic environments 
that have distributed information creators, users and 
service providers. By helping people to move their 
activities into the electronic world, it plays a funda- 
mentally important role in migration of these non- 
electronic human activities onto the Internet, Intranets, 
and other electronic interaction networks. Such net- 
work users require the Distributed Commerce Utility 
foundation and support services in order to economi- 
cally realize their business and privacy requirements. 
This secure distributed processing foundation is needed 
to optimally support the capacity of electronic com- 
merce models to meaningfully scale to demand and 
efficiently handle the full range of desired activities and 
service volume. 

The Distributed Commerce Utility technologies provided 
by the present inventions provide a set of secure, 
distributed support and administrative services for elec- 
tronic commerce, rights management, and distributed 
computing and process control. 

The Distributed Commerce Utility support services 
including highly secure and sophisticated technical 
and/or contractual services, may be invoked by elec- 
tronic commerce and value chain participants in a 
seamless, convenient, and relatively transparent way 
that shields users against the underlying complexity of 
their operation. 

The Distributed Commerce Utility can ensure appropri- 
ately high levels of physical, computer, network, pro- 
cess and policy-based security and automation while 
providing enhanced, efficient, reliable, easy to use, 
convenient functionality that is necessary (or at least 
highly desirable) for orderly and efficiently supporting 
of the needs of the electronic community. 

The Distributed Commerce Utility, in its preferred 
embodiments, support the creation of competitive com- 
mercial models operating in the context of an "open" 
VDE based digital marketplace. 

The Distributed Commerce Utility can provide conve- 
nience and operating efficiencies to their value chain 
participants. For example, they may offer a complete, 
integrated set of important "clearing" function capa- 
bilities that are programmable and can be shaped to 
optimally support multi-party business relationship 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



9 



10 



through one seamless, "distributed" interface (e.g., a 
distributed application). Clearing and/or support func- 
tions and/or sub-functions can, as desirable, be made 
available individually and/or separately so as to serve 
business, confidentiality, efficiency, or other objectives. 

The Distributed Commerce Utility can make it easy for 
providers, merchants, distributors, repurposers, 
consumers, and other value chain participants to attach 
to, invoke, and work with Distributed Commerce Util- 
ity services. Hookups can be easy, seamless and com- 
prehensive (one hook-up may provide a wide variety of 
complementary services). 

The Distributed Commerce Utility can further enhance 
convenience and efficiency by providing or otherwise 
supporting consumer brand images for clearing ser- 
vices offered by participant organizations, but utilizing 
shared infrastructure and processes. 

The Distributed Commerce Utility can realize important 
efficiencies resulting from scale and specialization by 
participant organizations by supporting "virtual" mod- 
els that electronically and seamlessly employ the spe- 
cial services and capabilities of multiple parties. 

The Distributed Commerce Utility makes it possible for 
consumers to conveniently receive a benefit such as a 
service or product, where such service or product 
results from the invocation of a "fabric" of various 
support services — each of which service may be com- 
prised of a distributed fabric of more specialized ser- 
vices and/or participating constituent service providers 
(the overall fabric is apparent to the value chain 
participant, the underlying complexity is (or can be) 
largely or entirely hidden). 

Distributed Commerce Utility services and capabilities in 
their preferred embodiments can employ and be com- 
bined in any reasonable manner with any one or more 
Virtual Distribution Environment capabilities 
described in Ginter, et. al., including for example: 

A. VDE chain of handling and control, 

B. secure, trusted internodal communication and 
interoperability, 

C. secure database, 

D. authentication, 

E. cryptographic, 
R fingerprinting, 

G. other VDE security techniques, 

H. rights operating system, 

I. object design and secure container techniques, 
J. container control structures, 

K. rights and process control language, 
L. electronic negotiation, 
M. secure hardware, and 

N. smart agent (smart object) techniques (for example, 
smart agents employed as process control, multi- 
party, and/or other administrative agent capabilities 
supporting distributed node administrative 
integration). 

Commerce Utility Systems Can Be Distributed and 
Combined 

The support and administrative service functions pro- 
vided by the Distributed Commerce Utility can be combined 
in various ways and/or distributed through an electronic 
community, system or network. The preferred embodiment 
uses the protected processing environment based virtual 
Distribution Environment described in Ginter et al. to facili- 
tate such combinations and distributedness. Since all such 



virtual Distribution Environment protected processing envi- 
ronments are at least to some degree trusted, every protected 
processing environment can be a clearinghouse or a part of 
a clearinghouse. Commerce models acceptable to the inter- 
est and desires of VDE commerce node users, can support 
Distributed Commerce Utility services that are pushed all 
the way to end-user electronic appliances employing, for 
example, other VDE protected processing environments, 
secure communication techniques and other VDE capabili- 
ties (as discussed elsewhere VDE capabilities can be directly 
integrated with the present inventions). Such appliances, 
along with more centralized value chain nodes can together 
form combinations that function as virtual clearing protected 
processing environments. In the end, cyberspace will be 
populated, in part, by big, 'Virtual" computers where access 
to resources is based upon "availability" and rights. 

The Distributed Commerce Utility is a modular, program- 
mable and generalizable context that it can support such 
virtual computers. The Distributed Commerce Utility is a 
unique architectural foundation for the design of electronic 
commerce value chain models and virtual computers. The 
programmable nature of a particular implementation can 
support differing actual (logical and/or physical), and/or 
degrees of, distribution for the same and/or similar services 
For example: 

Centralized Commerce Utility Systems and services may 
be used to provide certain support service functions, or 
collections of functions, efficiently from a centralized 
location. 

Other Commerce Utility Systems might be provided in a 

partially or wholly distributed manner. 
Some support and administrative service functions might 
be distributed in and/or throughout existing or new 
communications infrastructure or other electronic net- 
work support components. 
Other support services might operate within secure execu- 
tion spaces (e.g., protected processing environments) 
on any or all user electronic appliances, using peer-to- 
peer communications and interactions, for example, to 
provide a secure web of support service fabric. 
Other support services might operate both in the network 
support infrastructure and at user electronic appliances. 
Such distributed support services may complement (and/ 
or eliminate the need for) more centralized support service 
installations. Different combinations of the same and/or 
differing, non-distributed and differently distributed services 
may be provided to support different activities. Moreover, 
the nature and distribution of services for one overall model 
may differ from one implementation to another. Such dif- 
fering model implementations can, if desired, share both the 
same Commerce Utility Systems and Services and/or any 
particular and/or any combination of Distributed Commerce 
Utility administrative and/or support functions. 

Further, a particular Commerce Utility Systems and Ser- 
vice infrastructure may be used by differing value chains 
(e.g., business model or relationship set) in differing man- 
ners. For example, certain value chains may elect to keep 
certain support service functions more centralized for 
60 efficiency, security, control or other reasons, others may 
elect more and/or differently distributed models. 

Provided that, for example, payment methods and right - 
sholders and/or other value chain participants concur, any 
one or more of the Distributed Commerce Utility secure 
infrastructure support services may distribute and/or del- 
egate a portion or all of their functions and authority to any 
arbitrary collection or set of end-user and/or other value 



10 



15 



20 



25 



30 



35 



40 



45 



50 



55 



65 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



11 



12 



chain electronic appliances. Distributing and delegating 
these services and functions has various advantages 
including, for example, enabling flexible and efficient cre- 
ation of temporary, ad hoc webs of secure electronic com- 
merce in which any, a number, or all apptiance(s) in the 
collection or set may participate as at least a partial (if not 
full) peer of other appliances in the same commerce web 
fabric. 

The present invention provides the following non- 
exhaustive list of additional features relating to distributing 
administrative and support functions: 

Any mixture of any administrative and/or support func- 
tions may be integrated with any other mixture of 
administrative and/or support functions. 

Any set or subset of Commerce Utility System functions 
can be combined in an integrated design with any other 
mixture of Commerce Utility system functions. Such 
mixtures can be distributed to any desired degree and 
any one or more portions of the mixture may be more 
or less distributed than any other one or more portion. 
This allows a value chain to employ optimum desired 
and/or practical designs. Any mixture, including any 
degrees of distribution, of rights clearing, financial 
clearing, usage aggregation, usage reporting and/or 
other clearing and/or other Distributed Commerce Util- 
ity functions, can be provided. Such Distributed Com- 
merce Utility functions and/or administrative and/or 
support services can be combined with any other 
desired Distributed Commerce Utility functions and/or 
administrative and/or support services. 

Any one or more such administrative and/or support 
services and/or functions can operate as a Commerce 
Utility System and support a web of Commerce Utility 
System nodes, each of which supports at least a portion 
of such Commerce Utility administrative service activi- 
ties. Each Commerce Utility System may be capable of 
granting authority and/or providing services to and/or 
otherwise securely interoperating with other Com- 
merce Utility Systems and/or nodes. 

Each Commerce Utility System (or combination of Com- 
merce Utility Systems) may be capable of participating 
as a "virtual clearinghouse" comprised of plural Com- 
merce Utility Systems. In the preferred embodiment, 
these "virtual clearinghouses" may, when in accor- 
dance with VDE rules and controls, intemperate — in a 
fashion prescribed by such rules and controls — with 
other Commerce Utility Systems and/or other virtual 
clearinghouses participating in the same web. Such 
"virtual clearinghouses" may receive authority from 
secure chain of handling and control embodied in 50 
electronic control sets, and may participate in elec- 
tronic commerce process automation resulting from 
such chain of handling and control and other VDE 
capabilities. 

This ability to distribute, and, if desired to subsequently 
adapt (modify), any support service functions to any desired 
degree across a system or network provides great power, 
flexibility and increases in efficiency. For example, distrib- 
uting aspects of support services such as clearing functions 
will help avoid the "bottlenecks" that a centralized clearing 
facility would create if it had insufficient capacity to handle 
the processing loads. Taking advantage of the distributed 
processing power of many value chain participant appli- 
ances also has great benefits in terms of improved effec- 
tiveness and system response time, much lower overhead of 
operation, greater fault tolerance, versatility in application 
implementations, and, in general much greater value chain 



10 



15 



20 



25 



30 



35 



40 



45 



55 



60 



65 



appeal resulting from the present inventions adaptability to 
each value chain participant's needs and requirements. 

Some Examples of Administrative and/or Support 
Services Provided by the Distributed Commerce 
Utility 

The Distributed Commerce Utility may be organized into 
a number of different, special and/or general purpose "Com- 
merce Utility Systems." The Commerce Utility Systems can 
be centralized, distributed, or partially distributed and par- 
tially centralized to provide administrative, security, and 
other services that practical commerce management layer 
requires. Certain Commerce Utility Systems comprise Dis- 
tributed Commerce Utility implementations of certain well 
known administrative service functions, such as financial 
clearinghouse and certifying authorities. Other Commerce 
Utility Systems involve new forms of services and new 
combinations and designs for well known service activities. 
A Commerce Utility System is any instantiation of the 
Distributed Commerce Utility supporting a specific elec- 
tronic commerce model, and a Commerce Utility System 
may itself be comprised of constituent Commerce Utility 
Systems. Commerce Utility Systems may include any or all 
of the following, in any combination of capabilities and 
distribution designs, for example: 

financial clearinghouses, 

usage clearinghouses, 

rights and permissions clearinghouses, 

certifying authorities, 

secure directory services, 

secure transaction authorities, 

multi-purpose, general purpose and/or combination Com- 
merce Utility Systems including any combination of 
the capabilities of the systems listed immediately 
above, and 

other Commerce Utility Systems. 

These Commerce Utility Systems are far-reaching in their 
utility and applicability. For example they may provide 
administrative support for any or all of the following: 

trusted electronic event management, 

networked, automated, distributed, secure process admin- 
istration and control, 

Virtual Distribution Environment chain-of-handling and 
control, and 

rights administration and usage (e.g., event) management 
(e.g., auditing, control, rights fulfillment, etc.), across 
and/or within electronic networks, including 
"unconnected," virtually connected, or periodically 
connected networks. 

The Commerce Utility Systems may govern electronic 
process chains and electronic event consequences related to, 
for example: 

electronic advertising, 

market and usage analysis, 

electronic currency, 

financial transaction clearing and communications, 
manufacturing and other distributed process control 

models, 
financial clearing, 

enabling payment fulfillment or provision of other con- 
sideration (including service fees, product fees or any 
other fees and/or charges) based at Least in part on 
content, process control (event) and/or rights 
management, 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

13 14 

performing audit, billing, payment fulfillment (or provi- FIGS. 3A-3C show example distributed Commerce Util- 

sion of other consideration) and/or other clearing ity Systems; 

activities, p]G. 4 shows an example web of Commerce Utility 

compiling, aggregating, using and/or providing informa- Systems; 

tion relating to use of one or more secure containers 5 pjQ 4 A srjows a limitless web of consumer appliances 

and/or content and/or processes (events), including anf j Commerce Utility Systems; 

contents of secure containers and/or any other content, FIG. 5 shows how rights holders can select between 

providing information based upon usage auditing, user mu i tip ie Commerce Utility Systems connected to an elec- 

profiling, and/or market surveying related to use of one "information highway"; 

or more secure containers and/or content and/or pro- ^ 6 ^ an exflmplc of faow Commercc 

cesses (events), Utffi Systems can work together; 

employing information derived from user exposure to _ , , i»« i j • • * 

« Tr i a- a. - \ - ~c FIG. 7 shows an example of how multiple administrative 

content (including advertising) arid/or use of processes , _ - *\ . , , . 

/ , \ and support service functions can be combined and lnte- 

^ ■ t . . . aj . . 15 grated within Commerce Utility Systems; 

providing object registry services; and/or rights, ^„ „ „ , , - . . . - . 

permissions, prices, and/or other rules and controls „ ™ s T h ° ws " exam P le web of combined 610011013 

information; for registered and/or registering objects; Commerce Utility Systems; 

electronically certifying information used with and/or FIGS. 8A-8B show example Commerce Utility System 

required by rules and controls, such as authenticating 2 q nicrarcDies » 

identity, class membership and/or other attributes of FIG. 9 shows an example hierarchy of multi-function 

identity context including for example, certification of Commerce Utility Systems 

class identity for automating processes, such as rights FIG. 10 shows an example financial clearinghouse; 

related financial transaction fulfillment based upon pjo. 11 shows an example usage clearinghouse; 

governing jurisdiction (taxations)) employment and/ 25 nG n shows m e le rights and permissions clear- 

or other group membership including, for example, inehouse* 

acquired class rights (e.g., purchased discount buyers „, „ ' , . . . » 

club membership^ FIG. 13 shows an example certify mg authonty; 

. . , , . . ' , .. . £ _ . RG. 14 shows an example secure directory service; 

third party archiving and/or authenticating of transactions F J ' 

and/or transaction information for secure backup and 30 FIG. 15 shows an exam P le transaction authonty; 

non-repudiation, FIGS. 16A-16F show that Commerce Utility Systems can 

providing programmed mixed arrays of Commerce Utility su PP ort other commerce utility systems; 

System process control and automation services, where FIGS. 17A through 17D-3 show an example Commerce 

different Commerce Utility Systems support different Utility System architecture; 

value chains and/or business models requirements, and 35 FIGS. 17E-1 through 17E-4 show Commerce Utility 
where such Commerce Utility Systems further support System example interaction models; 
distributed, scaleable, efficient networked and/or hier- FIG. 17F shows an example arrangement for distributing 
archical fixed and/or virtual clearinghouse models portions of administrative and support service operations; 
which employ secure communication among a Com- p IG 18 shows m example financial clearinghouse Com- 
merce Utility System's distributed clearinghouse pro- 40 merce utility System* 

tected processuig environments for passing clearing- nQ 19 fc finandal ckarin ^ ouse 

house related rules and controls and derived, arraneement* 

summarized, and/or detailed transaction information, ^z, . , _ . , , . 

___ , . ,. , . , _ FIG. 20 shows an example financial clearing process; 

EDI, electronic trading models, and distributed comput- ™™ , , . , . 

ing arrangements where participants require trusted « FIGS. 20A-20F show an additional example of financial 

foundation that enables efficient, distributed clearmg activiUes and processes; 

administration, automation, and control of transaction p IG. 21 shows a simplified value chain (payment) disag- 

value chains, and gregation example; 

other support and/or administrative services and/or tunc- FIG. 22 shows an example of how the FIG. 21 disaggre- 

tj ons 50 gation can be implemented within a financial clearinghouse 

context; 

BRIEF DESCRIPTION OF THE DRAWINGS mG 22A shows an example arrangement for implement- 

Tnese and other features and advantages provided by the m g payment disaggregation on a user protected processing 

present inventions will become better and more completely environment; 

understood by studying the following detailed description of 55 FIG. 23 shows a more complex value chain (payment) 

presently preferred example embodiments in conjunction disaggregation example; 

with the drawings, of which: FIG. 24 shows an example of how disaggregation can be 

FIG. 1 shows an example Distributed Commerce Utility implemented within a financial clearinghouse context; 

supporting a consumer's example electronic appliance; 6Q FIG. 25 shows a value chain disaggregation example that 

FIG. 1A shows a protected processing environments) also details compensation to the Distributed Commerce 

("PPE") within the consumer's electronic appliance(s); Utility; 

FIG. IB shows that the Distributed Commerce Utility FIG. 26 shows an example value chain (payment) disag- 

may comprise a number of example Commerce Utility gregation to any number of payees; 

Systems; 65 FIG. 27 shows an additional example of how value chain 

FIGS. 2A-2E show examples of how administrative and (payment) disaggregation and redistribution may be accom- 

support service functions can be distributed; plished through a financial clearinghouse; 



01/11/2004, EAST Version: 1.4.1 



US 6,6: 

IS 

FIG. 28 shows an example superdistribution payment and 
redistribution scenario using a financial clearinghouse for 
financial clearing; 

FIG. 29 shows an example value chain (payment) aggre- 
gation at a consumer protected processing environment or 
other site; 

FIG. 30 shows example value chain (payment) aggrega- 
tion across multiple transactions; 

FIG. 31 shows example value chain (payment) aggrega- 
tion across multiple transactions and multiple consumers; 

FIG. 32 shows an example Commerce Utility System 
architecture providing payment aggregation; 

FIG. 33 shows an example usage clearinghouse Com- 
merce Utility System; 

FIG. 34 shows an example usage clearinghouse architec- 
ture; 

FIG. 35 shows an example usage clearing process; 

FIG. 36 shows an additional example usage clearing 
process using multiple usage clearinghouses; 

FIG. 37 shows an example usage clearing process using 
usage and financial clearinghouses; 

FIG. 38 shows an example usage clearinghouse media 
placement process; 

FIG. 39 shows an example usage clearing process pro- 
viding discounts based on different levels of consumer usage 
information disclosure; 

FIG. 40 shows an example rights and permissions clear- 
inghouse Commerce Utility System; 

FIG. 41 shows an example rights and permissions clear- 
inghouse architecture; 

FIG. 42 shows an example rights and permissions clear- 
ing process; 

FIG. 42A shows an example control set registration 
process for updates; 

FIG. 43 shows an additional example rights and permis- 
sions clearing process; 

FIGS. 44A-44E show an additional rights and permis- 
sions clearing example; 

FIGS. 45A and 45B show example rights template(s); 

FIG. 45C shows an example control set corresponding to 
the example rights templates); 

FIG. 46 shows another example rights and permissions 
clearing process; 

FIG. 47 shows an example certifying authority Commerce 
Utility System; 

FIG. 48 shows an example certifying authority architec- 
ture; 

FIG. 49 shows an example certifying process; 

FIG. 50 shows an example distributed certifying process; 

FIG. 50A shows an example control set that conditions 
performance and/or other consequences on the presence of 
digital certificates; 

FIGS. 51A-51D show example digital certificate data 
structures; 

FIG. 51E shows an example technique for generating 
digital certificates based on other digital certificates and a 
trusted databases); 

FIGS. 51F-51H show an example technique for defining 
a virtual entity; 

FIG. 52 shows an example secure directory services 
Commerce Utility System; 

FIG. 53 shows an example secure directory services 
architecture; 



>8,568 Bl 

16 

FIG. 54 shows an example secure directory services 
process; 

FIG. 55 shows an example transaction authority Com- 
merce Utility System; 
5 FIG. 56 shows an example transaction authority architec- 
ture; 

FIG. 57 shows an example transaction authority process; 

FIG. 58A shows an example of how the transaction 
10 authority creates a control superset; 

FIG. 58B shows example steps performed by the trans- 
action authority; 

FIGS. 58C and 58D show an example secure checkpoint 
Commerce Utility System; 
is FIGS. 59 and 60 show examples of how the Distributed 
Commerce Utility can support different electronic value 
chains; 

FIG. 61 shows a purchase, licensing and/or renting 
example; 

20 FIG. 62 shows a tangible item purchasing and paying 
example; 

FIG. 63 shows an example of a customer securely paying 
for services; 

25 FIG. 64 shows example value chain disaggregation for 
purchase of tangibles; 

FIG. 65 shows an example of cooperation between Com- 
merce Utility Systems internal and external to an organiza- 
tion; 

30 FIG. 66 shows an example inter and intra organization 
transaction authority example; 

FIG. 67 shows an international trading example. 

DETAILED DESCRIPTION OF EXAMPLE 
35 EMBODIMENTS 

Distributed Commerce Utility 

FIG. 1 shows an example consumer appliance 100 elec- 
tronically connected to Distributed Commerce Utility 75. in 

40 this example, an electronic network 150 connects appliance 
100 to Distributed Commerce Utility 75. Distributed Com- 
merce Utility 75 supports the activities going on within 
consumer appliance 100. 

Distributed Commerce Utility 75 provides a foundation of 

45 administrative and support services for electronic commerce 
and communications. This foundation is efficient, cost 
effective, flexible, configurable, reusable, programmable 
and generalizable. It supports all kinds of electronic 
relationships, interactions and communications for both 

so personal and business use. 

The Distributed Commerce Utility Can Support 
Any Electronic Appliance 

Appliance 100 may be any sort of electrical or electronic 
55 device such as for example, a computer, an entertainment 
system, a television set, or a video player — just to name a 
few examples. In the particular example shown in FIG. 1, 
the consumer appliance 100 is a home color television set 
102, a video player/recorder 104, and a set top box 106. 
60 Appliance 100 may be controlled by hand held remote 
controller 108, for example. Set top box 106 could receive 
television programs from television broadcasters 110 and/or 
satellites 112 via a cable television network 114, for 
example. Player/recorder 104 could play various types of 
65 program material from tapes, optical disks or other media, 
and may also have the capability of recording program 
materials received through set top box 106. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,; 

17 

The Appliance 100 Can Have A "Protected 
Processing Environment" 

Appliance 100 preferably is a secure electronic appliance 
of the type shown for example in FIGS. 7 and 8 of the Ginter 5 
et al. patent specification. It is preferably part of the "Virtual 
Distribution Environment" described in the Ginter, et al. 
patent specification. FIG. 1A shows that television 102, set 
top box 106, media player/recorder 104 and remote control 
108 may each have a "protected processing environment" 1Q 
("PPE") 154. Distributed Commerce Utility 75 may interact 
with and support the processes going on within each of these 
protected processing environments 154. 

Protected processing environments 154 may be based on 
one or more computer chips, such as a hardware and/or is 
software based "secure processing unit" as shown in FIG. 9 
of the Ginter et al. Patent specification. The protected 
processing environment 154 provides a highly secure, 
trusted environment in which electronic processes and trans- 
actions can be reliably performed without significant danger 2 o 
of tampering or other compromise. The Ginter et al. patent 
disclosure describes techniques, systems and methods for 
designing, constructing and maintaining the protected pro- 
cessing environment 154 so that rights holders and other 
value chain participants (including consumers 95) can trust 25 
its security and integrity. In the preferred embodiment, this 
trustedness is important in the interaction between the 
Distributed Commerce Utility 75 and electronic appliance 
100. 

30 

The Distributed Commerce Utility Can be Made 
Up of Many "Commerce Utility Systems" 

FIG. IB shows that Distributed Commerce Utility 75 can 
be made up of a number of Commerce Utility Systems 90. 
There can be different kinds of Commerce Utility Systems, 35 
for example: 

a financial clearinghouse 200; 

a usage clearinghouse 300; 

a rights and permissions clearinghouse 400; 40 

a certifying authority 500; 

a secure directory services 600; 

a transaction authority 700; 

a VDE administrator 80(fe and 45 

other kinds of Commerce Utility Systems 90. 

Commerce Utility Systems 90 can support and administer 
functions or operations within protected processing 
environments) 154. For example: 

The appliance 100 protected processing environment 154 50 
may provide an automatic electronic payment mecha- 
nism 118 that debits the consumers' bank or other 
money account based on program consumption. Dis- 
tributed Commerce Utility 75 may include a special 
purpose Commerce Utility System 90a called a "finan- 55 
cial clearinghouse" 200 that supports financial aspects 
of the operation of the protected processing environ- 
ment 154 — ensuring that rights holders and others get 
paid appropriate amounts and that the consumers 95 are 
not charged excessive amounts. 60 

The broadcaster of a television program 102a may require 
appliance 100's protected processing environment 154 
to meter, with an electronic usage metering mechanism 
116, how much of video program 102a the consumers 
95 watch, and which video programs they watch. 65 
Distributed Commerce Utility 75 may include a special 
purpose Commerce Utility System 90fc called a "usage 



568 Bl 

18 

clearinghouse" 300 that receives usage information 
metered by a usage meter 116 within the protected 
processing environment 154, analyzes it and provides 
reports. 

The rights holders in video program 102a may insist upon 
the protected processing environment 154 providing a 
copy protection mechanism 120 that securely protects 
against copying video program 102a. Distributed Com- 
merce Utility 75 may include a special purpose Com- 
merce Utility System 90c called a "rights and permis- 
sions clearinghouse" 400 that supplies the protected 
processing environment 154 with necessary permis- 
sions to allow consumers 95 to watch particular pro- 
grams (for example, on a pay per view basis) and to 
assist in enforcing prohibitions, such as, for example, a 
copy protection mechanism 120. 

Rights holders in video program 102a may further require 
the appliance 100 protected processing .environment 
154 to possess a "digital certificate" 122 certifying the 
consumer's identity, age, or the like before consumers 
95 can watch video program 102a. Distributed Com- 
merce Utility 75 may include a special purpose Com- 
merce Utility System 90d called a "certifying author- 
ity" 500 that creates and provides "digital certificates" 
504 to the protected processing environment 154 — 
allowing the consumers to efficiently interact with the 
permissions provided by the rights holders. 

Other Commerce Utility Systems 90 shown in FIG. IB 
include: 

A "Secure directory services" 600 that may assist the 
protected processing environment 154 in communicat- 
ing electronically with other computers and appliances 
over network 150; 
A "transaction authority" 700 that may be available for 
process control and automation such as, for example, 
securely auditing and overseeing complicated elec- 
tronic transactions involving protected processing envi- 
ronment 154; and 
A virtual distribution environment ("VDE") "administra- 
tor" 800 that may, in the preferred embodiment, keep 
the protected processing environment 154 operating 
smoothly and securely. 
Still other Commerce Utility Systems 90 not shown in 
FIG. IB may be used to administer and/or support additional 
functions and operations. The various Commerce Utility 
Systems 90 can work together, dividing up the overall tasks 
to support the consumers 95 efficiently and effectively. 

Commerce Utility Systems Can Be Distributed 

FIGS. 2A-2E show how Distributed Commerce Utility 75 
can be distributed. Some administrative and support func- 
tions of Commerce Utility Systems 90 can be performed 
within a consumer's electronic appliance 100— or even in a 
"spread out" fashion over a large number of different appli- 
ances cooperating together. 

As described above, appliances 100 each provide a pro- 
tected processing environment 154 that is tamper resistant 
and provides a secure place in which administrative and 
support operations can be performed. This allows an elec- 
tronic appliance 100 within a consumer's home to perform 
operations that can trusted by other parties, such as rights 
holders, electronic commerce participants, and the like. 
Because of the trusted, protected characteristics of protected 
processing environment 154, the parts, extensions or even 
the entirety of a Commerce Utility System 90 may exist 
within each or any of the protected processing environments 
154 and associated electronic appliances within the overall 
system. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



19 



20 



10 



FIGS. 2A-2E represent the overall functions of an 
example Commerce Utility System 90 such as Usage Clear- 
inghouse 300 as a four-piece jigsaw puzzle. FIGS. 2A-2E 
show that these Commerce Utility System functions can be 
distributed to varying degrees. For example: 5 
FIG. 2A shows an example in which all functions of the 
Commerce Utility System 00 are performed in a secure 
central facility. 

FIG. 2B shows an example in which most functions of the 
Commerce Utility System 90 are performed in a secure 
central facility, but some of its functions are performed 
within the protected processing environment 154 of a 
user electronic appliance 100. 

FIG. 2C shows an example in which some functions of the 15 
Commerce Utility System 90 are performed in a secure 
central facility, but most of its functions are performed 
within the protected processing environment 154 of a 
user electronic appliance 100. 

FIG. 2D shows an example in which some functions of 2 o 
the Commerce Utility System 90 are performed in a 
secure central facility, some of its functions are per- 
formed within the protected processing environment 
154A of a first user electronic appliance 100A, and 
some of its functions are performed within the pro- 25 
tected processing environment 154B of a second user 
electronic appliance 100B. 

FIG. 2E shows an example in which none of the functions 
of the Commerce Utility System 90 are performed in a 
secure central facility; some of its functions are per- 30 
formed within the protected processing environment 
154(1) of a first user electronic appliance 100(1), some 
of its functions are performed within the protected 
processing environment 154(2) of a second user elec- 
tronic appliance 100(2), ), some of its functions are 35 
performed within the protected processing environment 
154(3) of a third user electronic appliance 100(3), and 
some of its functions are performed within the pro- 
tected processing environment 154(N) of a Nth user 
electronic appliance 100(N). 40 

Alternately or in addition, some of the functions of the 
Commerce Utility System 90 may be distributed within 
network 150 — for example, in the equipment used to com- 
municate data between appliances 100. 

45 

Distributing Multiple Administrative and Support 
Functions 

FIG. 3A shows how multiple Commerce Utility System 
90 functions or sub-functions can be distributed into the 
same protected processing environment 154. 50 

For example: 

Financial clearinghouse function 200a operating within 
consumer appliance IGOA's protected processing envi- 
ronment 154a may provide certain financial clearing 55 
such as auditing that can take the place of and/or 
support some of the financial clearing operations per- 
formed by a centralized financial clearinghouse 200. 

Usage clearinghouse function 300a operating within con- 
sumer appliance lOOA's protected processing environ- 6 o 
meat 154a may perform certain usage information 
clearing operations, such as, for example, combining or 
analyzing collected usage information to complement, 
substitute for, or add to usage clearing operations 
performed by usage clearinghouse 300. 65 

Appliance lOOA's protected processing environment 
154a may perform certain rights and permissions clear- 



ing operations 400a, certain certifying authority opera- 
tions 500a, and certain secure directory services sup- 
port operations 600a all at the consumer's site to 
complement, add to or substitute for operations per- 
formed by rights and permissions clearinghouse 400, 
certifying authority 500 and secure directory services 
600. 

FIG. 3B shows that another example consumer electronic 
appliances 100(2), . . . , 100N (in this case personal 
computers 124) might perform different combinations of 
support or administrative functions locally (for example, 
some or all of the functions performed by transaction 
authority 700). For example: 

the processes within protected processing environment 
154(1) may rely on a partially distributed and partially 
centralized financial clearinghouse 200A, a partially 
distributed and partially centralized usage clearing- 
house 300A, a partially distributed and partially cen- 
tralized rights and permissions clearinghouse 400 A, a 
partially distributed and partially centralized certifying 
authority 500 A, a centralized secure directory services 
600A, and a centralized transaction authority 700A; 
the processes within protected processing environment 
154(2) may rely on a centralized financial clearing- 
house 200B, a partially distributed and partially cen- 
tralized usage clearinghouse 300B, a partially distrib- 
uted and partially centralized rights and permissions 
clearinghouse 400B, a centralized certifying authority 
500B, a centralized secure directory services 600B, and 
a partially distributed and partially centralized transac- 
tion authority 700B; and 
the processes within protected processing environment 
154(N) may rely on a partially distributed and partially 
centralized financial clearinghouse 200N, a partially 
distributed and partially centralized usage clearing- 
house 300N, a partially distributed and partially cen- 
tralized rights and permissions clearinghouse 400N, a 
partially distributed and partially centralized certifying 
authority SOON, a partially distributed and partially 
centralized secure directory services 600N, and a par- 
tially distributed and partially centralized transaction 
authority 700N. 
Taking this concept of distributed clearing services 
further, it would be possible to completely distribute the 
Distributed Commerce Utility 75 as shown in FIG. 
3C — relying mostly or completely on administrative and 
support service operations and activities within the secure, 
protected processing environments 154 of users' electronic 
appliances 100. Thus, the users' own electronic appliances 
100 could — in a distributed manner — perform any or all of 
financial, usage, and rights and permissions clearing, as well 
as certification, secure directory services and transaction 
authority services. Such "local" and/or parallel and/or dis- 
tributed processing transaction clearing might more effi- 
ciently accommodate the needs of individual consumers. For 
example, this is one way of allowing consumers to contrib- 
ute controls that prevent certain private data from ever 
leaving their own electronic appliance while nevertheless 
providing rightsholders with the summary information they 
require. 

The distributed arrangements shown in FIGS. 2A-2E and 
3A-3C are not mutually exclusive ways of providing cen- 
tralized Commerce Utility System 90. To the contrary, it 
may be advantageous to provide hybrid arrangements in 
which some administrative and support service functions 
(such as, for example, micro-payment aggregation, usage 
data privacy functions, and some issuing of certificates, such 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



21 



22 



as parents issuing certificates for their children) are widely 
distributed while other administrative and support service 
functions (for example, issuance of important digital 
certificates, maintaining massive data bases supporting 
secure directory services, etc.) are much more centralized. 
The degree of distributedness of any particular administra- 
tive and support service, clearinghouse or function may 
depend on a variety of very important issues including, for 
example, efficiency, trustedness, scalability, resource 
requirements, business models, and other factors. In 
addition, the degree of distribution may involve multiple 
levels of hierarchy based, for example, on sub-sets deter- 
mined by specific business models followed by specific 
business sub-models, or, for example, geographic and/or 
governing body and/or region areas. 

Since a given electronic appliance 100 can participate in 
multiple activities, it is possible that its different activities 
may rely on different blends of distributed and centralized 
Commerce Utility Systems 90. For example, for one activity 
a protected processing environment 154 may rely on a 
centralized financial clearinghouse 200, for another activity 
it may rely on a partially distributed and partially centralized 
financial clearinghouse 200, and for still another activity it 
may rely on a wholly distributed financial clearinghouse 
200. Different degrees of distributedness may be used for 
different activities or business models. 

Web of Commerce Utility Systems 

FIG. 4 shows that Commerce Utility System 75 may 
comprise a vast "web" of distributed, partly distributed 
and/or centralized Commerce Utility Systems 90. Network 
150 can be used to connect this web of Commerce Utility 
Systems 90 to a variety of different electronic appliances 100 
that can all share the Distributed Commerce Utility 75. For 
example, electronic network 150 can connect to: 

set top boxes 106 and/or media players 104, 

personal computers 124, 

computer graphics workstations 126, multi-media/video 

game systems 128, or 
any other kinds of electronic appliances 100 including for 
example, manufacturing control device, household 
appliances, process control equipment, electronic net- 
working and/or other communication infrastructure 
devices, mainframe and/or mini computers, etc. 
In this example, the same Distributed Commerce Utility 
75 can support a variety of different kinds of activities of a 
number of different consumers, authors, distributors, 
providers, merchants, and other people — and the Distributed 
Commerce Utility 75 can support a very large variety of 
different electronic activities. FIG. 4 also shows that Com- 
merce Utility Systems 90 may communicate with electronic 
appliances 100 (and with each other) by exchanging elec- 
tronic "containers'* 152 of the type disclosed in Ginter et al. 
for purposes of security (for example, secrecy, authenticity 
and integrity) and managed through the use of secure rules 
and controls processed in protected processing environ- 
ments. 

The Commerce Utility Systems Web Can Be 
Virtually Limitless 

FIG. 4A shows that the web of Commerce Utility Systems 
may be vast or limitless. Indeed, network 150 may be a 
seamless web stretching around the world and connecting 
millions upon millions of electronic appliances with any 
number of Commerce Utility Systems 90. 

The Commerce Utility Systems 90 web may provide a 
very complex interconnection with a variety of different 



10 



15 



20 



30 



types of electronic appliances performing a variety of dif- 
ferent electronic functions and transactions. As mentioned 
above, any of electronic appliances 100 may be able to 
communicate with any of the Commerce Utility Systems 90 
or with any other electronic appliance. This allows maxi- 
mum efficiency and flexibility in terms of allocating differ- 
ent Commerce Utility Systems to different electronic trans- 
actions. For example: 
Geographically close Commerce Utility Systems might 
best be used to minimize the amount of time it takes to 
get messages back and forth. 
In some cases, more distant Commerce Utility Systems 
might be better equipped to efficiently handle certain 
lands of specialized transactions., 
Government regulations might also, at least in part, dic- 
tate the selection of certain Commerce Utility Systems 
over others, (for example, a Japanese customer may-run 
into legal problems if she tries to use a financial 
clearinghouse 200 located in the Cayman Islands — or a 
New Jersey resident might be required by law to deal 
with a financial clearinghouse 200 that reports New 
Jersey sales tax). 
Different, competitive Commerce Utility Systems are 
likely to be offered by different parties and these 
different systems would populate the web comprising 
Distributed Commerce Utility 75. Interoperability 
between such System and/or their nodes is important 
for efficiency and to allow reusability of electronic 
commerce resources. 

Rights Holders And Providers Can Choose Among 
Commerce Utility Systems 

FIG. 5 shows how rights holders can select between 
35 different Commerce Utility Systems 90. In this example, 
Bob operates a first usage clearinghouse 300a, Alice oper- 
ates a second usage clearinghouse 300fc, and Helen operates 
a third usage clearinghouse 300c. These various usage 
clearing service providers may compete with one another 
based on quality and/or price, or they may be complemen- 
tary (for example, they may each specialize in different 
kinds of transactions). 

Because electronic network 150 may connect electronic 
appliances 100 to many different Commerce Utility Systems 
90, rightsholders in the digital properties the consumers are 
using may have a number of different Commerce Utility 
Systems to choose from. Content providers and rights hold- 
ers may authorize particular (or groups of) Commerce 
Utility Systems 90 to handle different aspects of transac- 
tions. For example: 

Computer software distributor might specify that a per- 
sonal computer 124 should send metering information 
116a to Helen's usage clearinghouse 300c for moni- 
toring usage of the computer software or other activi- 
ties performed by the personal computer. 
A rights holder in video program 102a might specify that 
set top box 106 should send metering information 116 
about the video to Alice's usage clearinghouse. 
A multimedia content provider might specify that Bob's 
usage clearinghouse 300a should be used for process- 
ing usage data 116c generated by multimedia player 
128. 

In some instances, particular consumers 95 may also pay 
a role in specifying in advance particular clearinghouses or 
other Commerce Utility Systems 90 they prefer to use. FIG. 
5 illustrates the provider's (and/or consumer's) choice by a 



40 



45 



50 



55 



60 



65 



01/11/2004, EAST Version: 1.4.1 



US 6,6 

23 

policeman directing metering traffic to selected usage clear- 
inghouses 300 (electronic controls as described herein and in 
Ginter et aL would preferably be the mechanism actually 
controlling how traffic is directed). 

A content provider or rights holder could allow a con- 
sumer 95 to select from a group of Commerce Utility 
Systems 90 (and/or Commerce Utility Systems 90 
providers) the content provider/rights holder wants to deal 
with. For example: 

A television studio might authorize specific individual or 
classes of Commerce Utility Systems 90 to handle 
transactions relating to its television programs and/or it 
may specify particular individual or classes of Com- 
merce Utility Systems 90 that it doesn't want to have 
handle its transactions. 
Particular Commerce Utility Systems 90 may set require- 
ments or standards for individual (or., classes of) pro- 
viders and/or consumers 95. 
Value chain participants could enter into legal agreements 
and/or business relationships with different Commerce 
Utility Systems 90. 

Commerce Utility Systems Can Work Together 

FIG. 6 shows that different Commerce Utility Systems 90 
can work together to support different kinds of operations. In 
this example: 

Usage clearinghouse 30©a, rights and permissions clear- 
inghouse 400a, certifying authority 500a, and financial 
clearinghouse 200a (left-hand side of drawing) might 
be used to support a particular operation by set top box 
106 and television set 102. 

The same financial clearinghouse 200a but a different 
usage clearinghouse 300/), a different certifying author- 
ity 500/) and a different rights and permissions clear- 
inghouse 400/) (top of drawing) might be used to 
support certain activities on personal computer 124. 

A still different financial clearinghouse 200c, certifying 
authority 500c and usage clearinghouse 300c but the 
same rights and permissions clearinghouse 4006 (right- 
hand side of drawing) might be used to support elec- 
tronic activities of multimedia system 128. 

A still different combination of Commerce Utility Sys- 
tems, (in this example, usage clearinghouse 300c, 
financial clearinghouse 200a", rights and permissions 
clearinghouse 4C0c and certifying authority 500a — 
along the bottom of the drawing) might be used to 
support sound system 130. 

This example shows that various Commerce Utility Sys- 
tems 90 may operate in combination, and that different 
combinations of Commerce Utility Systems might be used 
to support different electronic transactions. 

Administrative and Support Service Functions Can 
Be Combined Within General Purpose Commerce 
Utility Systems For Efficiency or Convenience 

FIG. 7 shows that different special purpose Commerce 
Utility Systems 90 administrative and support service func- 
tions or sub-functions may be integrated together into more 
general or multi-purpose Commerce Utility Systems 90 for 
maximum convenience, efficiency or other reasons. For 
example: 

Bob may operate an integrated or combined Commerce 
Utility System 90a providing a financial clearinghouse 
200a function, a certifying authority 500a function, and 
a usage clearinghouse 300a function. 



58,568 Bl 

24 

Anne may operate an integrated or combined Commerce 
Utility System 906 providing a financial clearinghouse 
function 200/), a rights and permissions clearinghouse 
function 400/? and a transaction authority function 
5 700/). 

Helen may operate an integrated or combined Commerce 
Utility System 90c providing a rights and permissions 
clearinghouse function 400c and a certifying authority 
function 500c. 

10 Roger may operate an integrated or combined Commerce 
Utility System 90a* providing secure directory services 
600a\ usage clearinghouse services 300d, financial 
clearinghouse services 200rf and rights and permissions 
clearinghouse 400d. 
A consumer operating electronic appliances 100 may 
15 access any or all of these different Commerce Utility Sys- 
tems 90 or combinations. For example, set top box 106 
might obtain rights, and permissions and certificates from 
Helen's Commerce Utility System 90c, but might make use 
of Bob's Commerce Utility System 90a for financial clear- 
20 ing and usage analysis. 

A Commerce Utility System 90 may provide any combi- 
nation of administrative and support functions or subfunc- 
tions as may be desirable to perform the operations required 
in certain business models, provide maximum efficiency, 
25 and/or maximize convenience. For example, Arine's Com- 
merce Utility System 90(2) might provide only a specialized 
subset of financial clearinghouse function 

FIG. 7A shows another illustration of how Commerce 
Utility Systems 90 can offer a wide variety of different 
30 combinations or subcombinations of administrative and sup- 
port functions. In this FIG. 7 A diagram each of the various 
administrative and support service functions is represented 
(for purposes of illustration) as a different kind of child's 
play block: 

35 financial clearing functions 200 are shown as square 
blocks, 

Usage clearing functions 300 are shown as half-circle 
blocks, 

^ Rights and permissions clearing functions 400 are shown 
as rectangular blocks, 
Certifying authority functions 500 are shown as triangular 
blocks, 

Secure directory service functions 600 are shown as 
4S tunnel blocks, and 

Transaction authority functions 700 are shown as cylin- 
ders. 

Consumer and user appliances 100 are shown as standing- 
up rectangular columns in the diagram. Electronic network 
50 150 is shown as a road which connects the various Com- 
merce Utility Systems to one another and to consumer 
electronic appliances 100. Electronic digital containers 152 
may be carried along this electronic network or "information 
highway" 150 between different electronic installations. 
55 FIG. 7A illustrates just some of the many possible admin- 
istrative and support service combinations that might be 
used. For example: 

In the upper left-hand corner, a Commerce Utility System 
90A provides at least some financial clearing functions 
60 200a, at least some rights and permissions clearing 
functions 400a, and at least some certifying functions 
500a. This type of overall electronic Commerce Utility 
System 90A might, for example, be in the business of 
managing and granting rights on behalf of rights hold- 
65 ers and in handling payments based on those rights. 
The Commerce Utility System 90D just to the right of 
installation 90A comprises financial clearing services 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

25 26 

200rf and transaction authority services 700a. It might work. In still another example arrangement, the more spe- 

be especially useful in, for example, auditing and/or cialized Commerce Utility Systems do some of the work and 

managing an overall complex multi-step transaction the more overarching Commerce Utility Systems do other 

while also ensuring that appropriate parties to the parts of the work. The particular division of work and 

transaction are paid. 5 authority used in a particular scenario may largely depend on 

In the lower center of the diagram there is a Commerce factors such as efficiency, trustedness, resource availability, 

Utility System 90B including financial clearing func- mc k""* 5 of transactions being managed, and a variety of 

tions 200f and usage clearing functions 300c. This other factors. Delegation ofclearing authority may be partial 

Commerce Utility System 90B could be especially (e.g., delegate usage aggregation but not financial or rights 

useful, for example, for handling payment and other 10 management responsibilities), and may be consistent with 

financial details relating to electronic usage tr ansae- peer-to-peer processing (e.g., by placing some functions 

tions and also providing audit and report services based within consumers' electronic appliances while keeping 

on the electronic usage. some more important functions centralized). 

THe Commerce Utility System 90C shown in the bottom Multi . Function Commerce Utility Systems Can be 

center of the drawing combines certifying authon y Organized Hierarchically or Peer-to-Peer 
services 500 with usage clearing services 300/. It could 

.be especially useful in issuing digital certificates and FIG. 9 shows a still different, more complex Commerce 
then tracking the usage of those certificates (for Utility System environment including elements of both a 
example, in order to evaluate risks, potential liability, hierarchical chain of command and a high degree of coop- 
insurance costs, etc.). 20 oration in the horizontal direction between different multi- 
The various examples shown in FIG. 7 A are for purposes function Commerce Utility Systems 90. In this example, 
of illustration. Other combinations are possible or likely there are five different levels of responsibility with a master 
depending on business objectives, convenience and other or overarching Commerce Utility Systems 90(1) (for 
factors. example, a financial clearinghouse 200) on level 1 having 

25 the most authority and with additional Commerce Utility 

Commerce Utility System Hierarchies Systems on levels 2, 3, 4, and 3 have successively less 

FIG. 8A shows that Commerce Utility Systems 90 or P ower > authority, control, scope and/or responsibuity. FIG. 9 

functions can be arranged in a hierarchy. For example, an also different Commerce Utility Systems on the 

overall financial (or other) clearinghouse 200(N) may over- 30 samc levcl ma y have different functions, scopes and/or areas 

see and/or have ultimate responsibility for the operations of of responsibility. For example: 

numerous other financial (or other) sub-clearinghouses 200 a Commerce Utility System 90(2X1) may be a "type A" 

(1), 200(2), .... In the FIG. 8A example, a consumer Commerce Utility System, 

electronic appliance 100 might interact with a clearinghouse Commerce Utility System 90(2)(2) might be a "type B" 

200(1), which might in turn interact with another clearing- 35 Commerce Utility System, and 

house 200(2), etc. This administrative and support service Commerce Utility System 90(2)(3) might be a "type C" 

"hierarchy" might be thought of as being similar in some Commerce Utility System. 

ways to a chain of command in a large corporation or in the 0o the next lcvcl dowil) Cb mmcrcc Utility Systems might 

military— with some clearinghouses exercising and/or del- be type A Commerce Utility System (such as, 90(3X1) and 

egating power, control and/or supervision over other clear- w 90(3)(2)), they might be type B Commerce Utility Systems 

inghouses. ( such ^ 90(3)(4)), they might be type C Commerce Utility 

FIG. 8B shows another example of a administrative and Systems (such as, 90(3)(5), 90(3)(6)), or they might be 

support service hierarchy. In this example, a number of hybrids — such as, Commerce Utility System 90(3X3) which 

centralized overall clearinghouses and/or other Commerce is a hybrid having type A and type B functions. 

Utility Systems 90 delegate some or all of their work 45 FIG. 9 also shows that additional clearinghouses on levels 

responsibilities to other Commerce Utility Systems 90. In 4 and 5 might have sub-types as well as types. In the context 

this particular example shown, organizations, such as G f a financial clearinghouse 200 for example, Type A might 

companies, non-profit groups or the like may have their own be responsible for consumer credit, Type B for electronic 

Commerce Utility Systems 156. Certain electronic com- checks, and Type C for commercial credit. Another demar- 

merce or other activities (the entertainment industry, for 50 cation might be clearing for Visa (Type A), Mastercard 

example) might have their own vertically-specialized Com- (Type B) and American Express (Type C). A Type A/B 

merce Utility Systems 158. Certain geographical, territorial clearinghouse would then be a clearing delegation that could 

or jurisdictional groups (e.g., all purchasers of particular handle both consumer credit and electronic check clearing, 

products within the state of Wisconsin) may have their own A Type B Subtype I might be responsible for commercial 

territorial/jurisdictional specialized Commerce Utility. Sys- 55 electronic checks. A Type C Subtype I might be commercial 

terns 160. Commerce Utility Systems 156, 158, 160 lower in credit card transactions, and Subtype III might be credit 

the hierarchy may, in turn, further delegate authorities or drafts. The rationale for multiple instances might be based 

responsibilities to particular consumers, organizations or 0 n jurisdictional boundaries (e.g., France, Germany, New 

other entities. York, and Alabama), and/or contractual arrangements (e.g., 

In one example arrangement, the Commerce Utility Sys- 60 delegation of responsibility for bad credit risks, small 

terns 90 to which authority has been delegated may perform purchasers, very large transactions, etc.) The peer-to-peer 

substantially all of the actual support work, but may keep the dimension might reflect a need to coordinate an overall 

more over arching Commerce Utility Systems 90 informed transaction (e.g., between a small purchaser's clearinghouse 

through reporting or other means. In another arrangement, and a large commercial player's clearinghouse), 

the over arching Commerce Utility Systems 90 have no 65 A rights and permissions clearinghouse 400 might break 

involvement whatsoever with day to day activities of the out along content types (e.g., movies; scientific, technical 

Commerce Utility Systems to whom they have delegated and medical; and software). Subtype A might include first 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

27 28 

run movies, oldies, and art films; subtype B might handle tronic wallet supplying electronic money, for use in paying 
journals and textbooks; and type C might be responsible for for electronic services or content. This electronic wallet may 
games, office, educational content. Peer-to-peer communi- hold money in digital form. Consumers 95 can spend the 
cations between clearinghouses could involve multimedia digital money on whatever they wish. When the electronic 
presentation permissions (e.g., a multimedia presentation 5 wallet is empty, consumers 95 can have the financial clear- 
might have permissions stored at one clearinghouse that uses inghouse 200 replenish the wallet by authorizing the finan- 
a back channel to other clearinghouses to ensure that the cial clearinghouse to debit the funds from the consumers' 
latest permissions are distributed). account in their bank 206a. Financial clearinghouse 200 

Some Example Commerce Utility Systems 7* P rocess f^* 0 ™ ™T7 W™* 4 ™** £ e 
r 10 electronic wallet to be refilled automatically (based on the 
As described above, Commerce Utility Systems 90 are consumers' pre-authorization, for example) when the con- 
generalized and programmable — and can therefore provide sumers have spent all of its former contents, and provide the 
a mix of different support and administration functions to consumers with detailed reports and statements 204 about 
meet requirements of a given transaction. Thus, many or t, ow mey have spent their electronic money, 
most Commerce Utility Systems 90 as actually implemented 15 

may provide a range of different support and administrative Usage Clearinghouse 300 

functions that may make it difficult to categorize the imple- . , . , 

. . 7 c . . ((1 .5„ fP y FIG. 11 shows an example usage clearinghouse 300. 

mentat.on-as being of one particular "land of Commerce ^ clearinghouse 300 in ."this example recSves" usage 

Utahty System as opposed to another. information 302 from usage meter 116, analyzes the usage 

Nevertheless, certain types of idealized specialized Com- 20 mfonna , ion and provides reports based on the analysis it 

merce Utility Systems 90 are particularly useful for a wide forms y clearingnouse 300 may securely coordinate 

range of models, transactions and applications. It is helpful ^ otbel Commerce Utility Systems 90 in accomplishing 

and convenient to describe some of the characteristics of ^ \as\is 

these "pure" Commerce Utility Systems of different types — _ , ... , 

recognizing that actual implementations may mix functions For exam P le > «fW cleannghouse 300 may send the 

or function subsets from several of these idealized models. ™ 95 a deUll ? d «P° rt 304 « ° f M mo y ies ' 

Tne following are brief vignettes of some of the character- telev f° n V">B£™ and ^material the consumers have 

istics of such "pure" idealized Commerce Utility Systems. watched over the last month. The communication between 

protected processing environment 154 and usage clearing- 
Financial aearinghouse 200 house 300 may be in the form of secure containers 152. As 
FIG. 10 shows an example financial clearinghouse 200 in 30 described in the Ginter et al. patent disclosure, usage meter 
more detail. Financial clearinghouse 200 handles payments 116 can meter use on the basis of a number of different 
to ensure that those who provide value are fairly compen- factors, and can range from being extremely detailed to 
sated. Financial clearinghouse 200 may securely coordinate being turned off altogether. The consumers, if they desire, 
with other Commerce Utility Systems 90 in performing this c <> uld vi ew me detailed usage report 304a on their television 
task. set 102. 

In this example, financial clearinghouse 200 may com- Usage clearinghouse 300 can report to others about the 
municate with appliance protected processing environment consumers* viewing habits consistent with protecting the 
154 over electronic network 150 in a secure manner using consumers* privacy. These reports can also be sent within 
electronic containers 152 of the type described, for example, m secure containers 152. For example, usage clearinghouse 
in the Ginter et al. patent specification in connection with 300 might provide a summary report 304ft to advertisers 306 
FIGS. 5A and 5B. Financial clearinghouse 200 may receive that does not reveal the consumers' identity but provides the 
payment information 202 from protected processing envi- advertisers with valuable information about the consumers' 
ronment 154 in these secure containers 1S2, and interact viewing habits. On the other hand, with the consumers' 
electronically or otherwise with various banking, credit card 4S consent, usage clearinghouse 300 could provide a more 
or other financial institutions to ensure that appropriate detailed report revealing the consumers' identity to adver- 
payment is made. users 306 or to other specified people. In return, the con- 
Financial clearinghouse 200 may, for example, interact sumers 95 could be given incentives, such as, for example, 
with a consumer's bank 206a, a provider's bank 2066 and a discounts, cash, free movies, or other compensation, 
consumer's credit card company 206c. For example, finan- 50 Usage clearinghouse 300 can also issue reports 304c to 
cial clearinghouse 200 can debit funds from the consumer's rights holders 308 — such as the producer or director of the 
bank 206a and credit funds to the rights holder's bank 2066 video program 102a the consumers 95 are watching. These 
to pay for the consumers' watching of a movie, television reports allow the rights holders to verify who has watched 
program or other content. Additionally or alternately, finan- their program material and other creations. This can be very 
cial clearinghouse 200 may interact with a consumer's credit 55 useful in ensuring payment, or in sending the consumers 
card company 206c to request credit checks, obtain credit other, similar program material they may be interested in. 
authorizations, payments and the like. Usage clearinghouse 300 might also send reports 3044 to 
Financial clearinghouse 200 may provide payment state- a ratings company 310 for the purpose of automatically 
ment statements 204 to consumers 95 — for example, by rating the popularity of certain program material. Usage 
transmitting the statements to appliance 100 in a secure 60 clearinghouse 300 might also send reports to other market 
electronic container 1526 to preserve the confidentiality of researchers 312 for scientific, marketing or other research, 
the statement information. In this example, consumers 95 

can view the statements 204 using their appliance 100 Rl S hts ™ Permissions Cleannghouse 400 
protected processing environment 154, and may also be able FIG. 12 shows an example rights and permissions clear- 
to print or save them for record-keeping purposes. 65 inghouse 400. Rights and permissions clearinghouse 400 
In one example, the payment mechanism 118 provided by stores and distributes electronic permissions 404 (shown as 
protected processing environment 154 might be an elec- a traffic light in these drawings). Permissions 404 grant and 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

29 .30 

withhold permissions, and also define consequences. Rights driver's license or a high school diploma in some respects, 

and permissions clearinghouse 400 may work with other since they each provide proof of a certain fact. For example, 

Commerce Utility Systems 90 to accomplish its tasks. we may show our drivers' license to prove that we are old 

In this example, rights and permissions clearinghouse 400 enough to vote, buy liquor, or watch an "R" rated movie, 

may act as a centralized "repository*' or clearinghouse for 5 This same driver's license attests to the fact that we have a 

rights associated with digital content. For example, certain name and live at a certain address, and that we have 

broadcasters, authors, and other content creators and rights certain knowledge (of state motor vehicle laws) and skills 

owners can register permissions with the rights and permis- (the ability to maneuver a motor vehicle). Digital certificate 

sions clearinghouse 400 in the form of electronic "control 504 is similar to that aspect of a driver's license that 

sets." These permissions can specify what consumers can 10 confirms the identity of, and related facts pertaining to the 

and can't do with digital properties, under what conditions licensee, except that it is made out of digital information 

the permissions can be exercised and the consequences of instead of a laminated card. 

exercising the permissions. Rights and permissions clear- In this example, certifying authority 500 may receive 

inghouse 400 can respond to requests 402 from electronic consumer requests and associated evidence 502, and may 

appliance protected processing environment 154 by deliv- 15 corresponding digital certificates 504 that certify par- 

ering permissions (control sets) 188 in response. ticular facts. Certifying authority 500 may also receive 

For example, suppose that consumers 95 want to watch a. evidence, credentials and possibly also certificate definitions 

concert or a fight on television set 102. They can operate from other people such as government authorities 506, 

their remote control unit 108 to request the right to watch a professional organizations 508 and universities 510. As one 

certain program. Protected processing environment 154 may 20 example, the certifying authority 500 might receive birth 

automatically contact rights and permissions clearinghouse certificate or other identity information from a government 

400 over electronic network 150 and send an electronic authority 506. Based on this identity information, the certi- 

request 402. The rights and permissions clearinghouse 400 fying authority 500 may prepare and issue a digital ccrtifi- 

can "look up" the request in its library or repository to see cate 504 that attests to person's identity and age. The 

if it has received (and is authorized to provide) the necessary 25 certifying authority 500 might also issue digital certificates 

permission 4046 from the program's rights holder 400. It 504 attesting to professional status, employment, country of 

may then send the requested permission 188 to protected residence, or a variety of other classes and categories based 

processing environment 154. on various evidence and inputs from various people. 

For example, permission 188 might allow the consumers Certifying authority 500 may certify organizations and 
to view the concert or fight only once and prohibit its 30 machines as well as people. For example, certifying author- 
copying with copy protection mechanism 120. Permission ity 500 could issue a certificate attesting to the fact that 
188 may also (or in addition) specify the price for watching Stanford University is an accredited institution of higher 
the program (for example, $5.95 to be deducted from the learning, or that the ACME Transportation Company is a 
consumers' electronic wallet). Appliance 100 can ask the corporation in good standing and is authorized to transport 
consumers 95 if they want to pay $5.95 to watch the 35 hazardous materials. Certifying authority 500 could also, for 
program. If they answer "yes" (indicated, for example, by example, issue a certificate 504 to a computer attesting to the 
operating remote control 108), the appliance 100 can auto- fact that the computer has a certain level of security or is 
matically debit the consumers' electronic wallet and authorized to handle messages on behalf of a certain person 
"release" the program so the consumers can watch it ^ or organization. 

Rights and permissions clearinghouse 400 can deliver Certifying authority 500 may communicate with pro- 
permissions 188 within a secure container 152b that may tected processing environment 154 and with other parties by 
optionally also contain the information controlled by the exchanging electronic containers 152. Electronic appliance 
permissions — or permission 188 may arrive at a different 100's protected processing environment 154 may use the 
time and over a different path than the program or other 45 digital certificates 504 the certifying authority 500 issues to 
content travels to the appliance 100. For example, the manage or exercise permissions 188 such as those issued by 
permissions could be sent over network 150, whereas the rights and permissions clearinghouse 400. For example, set 
program it is associated with may arrive directly from top box 106 might automatically prevent any consumer 
satellite 112 or over some other path such as cable television under 17 years of age from watching certain kinds of 
network 114 (see FIG. 1). 5Q program material, or it might provide a payment discount to 

Rights and permissions clearinghouse 400 may also issue students watching educational material — all based on cer- 
reports 406 to rights holders or other people indicating nficates 504 issued by certifying authority 500. 
which permissions have been granted or denied. For . 
example, the author of a book or video might, consistent becure Uireclor y **™ces 
with consumer privacy concerns, be able to learn the exact 5S FIG. 14 shows an example of secure directory services 
number of people who have requested the right to publish 600. Secure directory services 600 acts something like a 
excerpts from his or her work. These kinds of reports can computerized telephone or name services directory. Con- 
supplement reports provided by usage clearinghouse 300. sumers 95 can send a request 602 specifying the information 

. they need. Secure directory services 600 can "look up" the 

Certifying Authority 500 ^ information an d provide the answer 604 to consumers 95. 

FIG. 13 shows an example of a certifying authority 500. Secure directory services 600 can work with other Com- 

Certifying authority SCO issues digital certificates 504 that merce Utility Systems 90 to perform its tasks, 

provide a context for electronic rights management. Certi- • For example, suppose consumers 95 want to electro ni- 

fying authority 500 may coordinate with other Commerce cally order a pizza from Joe's Pizza. They decide what kind 

Utility Systems 90 to accomplish its tasks. 65 of pizza they want (large cheese pizza with sausage and 

Certifying authority 500 issues digital certificates 504 that onions for example). However, they don't know Joe's Piz- 

certify particular facts. Digital certificate 122 is like a za's electronic address (which may be like an electronic 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



31 



32 



phone number). Consumers 95 can use remote control 108 
to input information about what they want to have looked up 
("Joe's Pizza, Lakeville, Conn/*). Protected processing 
environment 154 may generate a request 602 containing the 
identification information and send this request to secure 
directory services 600. It can send the request in a secure 
container 152a. 

When secure directory services 600 receives the request 
602, it may access a database to locate the requested 
information. Secure directory services 600 may have earlier 
obtained Joe's electronic address directly from Joe or oth- 
erwise. Secure directory services 600 may send the 
requested information back to appliance 100 in a response 
604. Response 604 may also be in a secure container 152b. 
The consumers 95 can use this information to electronically 
send their order to Joe's Pizza — which can display on Joe's 
order terminal within a few seconds after the consumers 
send it. Joe may deliver to consumer 95 a piping hot cheese, 
sausage and onion pizza a few minutes later (by car — not 
electronically — since a physical pizza is much more satis- 
fying than an electronic one). 

Secure directory services 600 can help anyone connected 
to network 150 contact anyone else. As one example, secure 
directory services 600 can tell usage clearinghouse 300 how 
to find a financial clearinghouse 200 on network 150. Any 
electronic appliance 100 connected to network 150 could 
use secure directory services 150 to help contact any other 
electronic appliance. 

As mentioned above, the request 602 to secure directory 
services 600 and the response 604 it sends back may be 
encased within secure containers 152 of the type described 
in the Ginter et al patent specification. The use of secure 
containers 152 helps prevent eavesdroppers from listening 
into the exchange between consumers 95 and secure direc- 
tory services 600. This protects the consumers' privacy. The 
consumers 95 may not care if someone listens in to their 
pizza order, but may be much more concerned about pro- 
tecting the fact that they are corresponding electronically 
with certain other people (e.g., doctors, banks, lawyers, or 
others they have a relationship of confidence and trust with). 
Secure containers 152 also help ensure that messages sent 
across network 150 are authentic and have not been altered. 
Electronic containers 152 allow Joe's Pizza to trust that the 
just-received pizza order actually came from consumers 95 
(as opposed to someone else) and has not been altered, and 
the consumers can be relatively sure that no one will send 
Joe a fake pizza order in their name. The use of secure 
containers 152 and protected processing environment 154 in 
the preferred embodiment also ensures that the consumers 
95 cannot subsequently deny that they actually placed the 
order with Joe's Pizza if they in fact did so. 

Transaction Authority 700 

FIG. 15 shows an example transaction authority 700. 
Transaction authority 700 in this example provides process 
control and automation. It helps ensure that processes and 
transactions are completed successfully. Transaction author- 
ity 7C0 may work with other Commerce Utility Systems 90 
to perform and complete its tasks. 

In more detail, transaction authority 700 in this example 
monitors the status of an electronic transaction and/or pro- 
cess and maintains a secure, reliable record of what has 
happened so far and what still needs to happen for the 
overall transaction and/or process to complete. Transaction 
authority 700 may also, if desired, perform a more active 
role by, for example, generating requests for particular 



10 



15 



actions to occur. Transaction authority 700 may in some 
cases be the only participant in a complex transaction or 
process that "knows" all of the steps in the process. Trans- 
action authority 700 can also electronically define an overall 
process based on electronic controls contributed by various 
participants in the process. 

FIG. 15 illustrates an example of how transaction author- 
ity 700 can be used to allow consumers 95 to order mer- 
chandise such as a sweater. In this particular electronic home 
shopping example (which is for purposes of illustration but 
is not intended to be limiting in any way), the consumers 95 
can use their remote control 108 to select the particular 
seller, style and color of a sweater they want to order at a 
particular price. In this home shopping example, appliance 
100's protected processing environment 154 may generate 
an electronic order 702 which it sends to the order receiving 
department 704 of an electronic "mail order" company. The 
order 702 may be sent within a secure container 152a. 
In this example, transaction authority 700 may assist the 
20 electronic mail order company to coordinate activities and 
make sure that all steps required to deliver the sweater are 
performed in an accurate and timely fashion. For example: 
Upon receiving the electronic order 702, the order receiv- 
ing department 704 might provide an electronic noti- 
fication 706 to transaction authority 700. The transac- 
tion authority 700 stores the electronic notification 706, 
and may issue a "requirement'* 708. 
Transaction authority 700 may have issued the require- 
ment 708 before the order was placed so that the order 
receiving department 704 knows what to do when the 
order comes in. 
In accordance with the "requirement" 708, order receiv- 
ing department 704 may issue an electronic and/or 
paper (or other) version of the order 710 to a manu- 
facturing department 712. 
The transaction authority 700 may issue a manufacturing 
requirement 714 to the manufacturing department to 
make the sweater according to the consumers' prefer- 
ences. 

Transaction authority 700 might also issue a supply 
requirement 716 to a supplier 718. For example, trans- 
action authority 700 may request supplier 718 to 
deliver supplies, such as balls of yarn 711, so manu- 
facturer 712 has the raw materials to manufacture the 
sweater. 

Supplier 718 may notify transaction authority 700 when it 
has delivered the supplies by issuing a notification 720. 
When manufacturing department 712 has finished the 
sweater, it may alert transaction authority 700 by 
sending it a notification 722. 
In response to the notification 722 sent by manufacturing 
department 712, transaction authority 700 may issue a 
shipping requirement 724 to a shipping department 
726, for example, requesting the shipping department 
to pick up completed sweater 728 from the manufac- 
turing department and to deliver it to the consumers. 
Transaction authority 700 may coordinate with other 
60 Commerce Utility Systems 90, such as a financial clearing- 
house 200, to arrange payment. 

Of course, this example is for purposes of illustration 
only. Transaction authority 700 may be used for all kinds of 
different process control and automation such as, for 
example, handling electronic orders and sales, electronic 
data interchange (EDI), electronic contract negotiation and/ 
or execution, electronic document delivery, inter and intra 



25 



30 



35 



40 



45 



50 



55 



65 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

33 34 

company transactions, and the secure electronic integration for example, a financial clearinghouse 200, a usage 
of business processes within or among business clearinghouse 300, a rights and permissions clearing- 
organizations^ — just to name a few of many useful applica- house 400, a certifying authority 500, a secure directory 
tions. services 600, and another transaction authority 700V 

5 

VDE Administration Services 800 "A Piece of the Tick" 

VDE administrator 800 (see FIG. 1 of this application and ^ Commerce Utility Systems 90 described herein pro- 
FIG 1A and associated discussion in the Ginter et al. vide valuable, important services and functions. The opera- 
specification) may, in the preferred embodiment, provide a tors of such services can and should be compensated for the 
variety of electronic maintenance and other functions to 10 services they provide. Financial Clearinghouse Commerce 
keep network 150, appliance 100 protected processing envi- Utilit y Systems 200 can ensure that they and other support 
ronments 154 and Distributed Commerce Utility 75 operat- s*™ 4 * providers receive this compensation without incoo- 
ing securely, smoothly and efficiently. For example, VDE venience to other electronic community and value chain 
administrator 800 may manage cryptographic keys used for participants. 

electronic security throughout network 150, and may also In assisting or compensating value chain participants, a 

provide services relating to the maintenance of secure data Commerce Utility System 90 may (based on pre-approved 

by appliances 100, the various Commerce Utility Systems contractual arrangements) take its own portion or.percentage 

90, and other electronic appliances. As described in detail in to compensate it for the clearing services it provides. Sup- 

the Ginter et al. patent disclosure, other important functions port services can be compensated based on a small portion 

performed by VDE administrator 800 include installing and 20 of payment (i.e., a "micro-payment") attributable to each 

configuring protected processing environments 154, and electronic transaction (a "piece of the tick"). Providers may 

helping protected processing environments to securely pass some or all of these fees along to their own value chain 

maintain stored permissions and/or usage data. The VDE participants in various ways. 

administrator 800 may work with other Commerce Utility Several different classes of value chain participants may 

Systems 90. be called upon to compensate the Commerce Utility Systems 

90, including: 

Commerce Utility SyfeosW Can Support One Infonna tion Consumers (including for example, people 
° r who make use of the information "exhaust" generated 
In addition to supporting consumers 95, Commerce Util- 30 by electronic commerce, electronic transaction inan- 
ity Systems 90 can support other Commerce Utility Sys- agement and rights management activities); 
terns. This is shown in FIGS. 16A-16F. For example: Content Rigbtsholders and other Electronic Providers; 
financial clearinghouse 200 can help ensure other Com- Participants in the broadest range of secure, distributed 
merce Utility Systems 90 are paid for their contribu- electronic commerce transactions.; 
tions (see FIG. 16A); and 35 j Q Edition, various support service providers may also 
usage clearinghouse 300 (see FIG. 16B) may inform other need to support one another in various ways — and may 
Commerce Utility Systems 90 concerning how the therefore need to compensate one another. For 
support they provide is being used. For example, usage example: 

clearinghouse 300 may tell certifying authority 500 Gne Commerce Utility System 90 may act as an inter- 
how the certifying authority's certificates have been 40 me diary for another Commerce Utility System 90's 
used (very useful for the certifying authority to keep customer* 

tabs on the amount of potential liability it is undertak- Qne Comm ' erce vm s tem w be required t0 

ing or in helping to detect fraudulent certificates). support ^ operatioD of anQther 0mmm Utility 

FIG. 16C shows that a rights and permissions clearing- ^ System 90; and/or 

house 400 can support other Commerce Utifity Sys- 4 Commerce V \ mty System m may need to work logether 

terns 90 such as, for example, a financial cleannghouse tQ rt a common 

200, a usage clearinghouse 300, another rights and DififereQt Commerce Utilit s tem 90s may cooperate to 

permissions cleannghouse 400' a certifying authority estabUsh a common fee mat the men divide amon mem . 

^ -^^ ^ SCrV1CeS ' a transacU0D 50 selves. In another scenario, each Commerce Utility System 

authority 700. 90 may independently charge for the value of its own 

Certifying authority 500 can issue digital certificates 504 services. There may be competition among different Corn- 
certifying the operation of one or more other Com- merce Utility System 90s based on quality of service and 
merce Utility Systems 90 (see FIG. 16D) — supporting price— just as credit card companies now compete for 
other Commerce Utility Systems 90 such as, for 55 providers' and consumers' business, 
example, a financial clearinghouse 200, a usage clear- 
inghouse 300, a rights and permissions clearinghouse Example Distributed Commerce Utility System 
400, another certifying authority 500', secure directory Architecture 
services 600, and transaction authority 700. Ginter et ah patent disclosure describes, at pages 180 

FIG. 16E shows that a secure directory services 600 may 60 and following, and shows in FIGS. 10-12, for example, a 

support other Commerce Utility Systems 90, such as, "Rights Operating System" providing a compact, secure, 

for example, financial clearinghouse 200, usage clear- event-driven, compartmentalized, services-based, "compo- 

inghousc 300, rights and permissions clearinghouse n ent" oriented, distributed multi-processing operating sys- 

400, certifying authority 500, other secure directory tem environment that integrates VDE security control 

services 600', and transaction authority 700. 65 information, components, and protocols with traditional 

FIG. 16F shows that a transaction authority 700 can operating system concepts. The preferred example Corn- 
support other Commerce Utility Systems 90, such as, merce Utility System 90 architecture provided in accordance 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



35 



36 



with these inventions builds upon and extends the Rights 
Operating System described in Ginter et al. 

For example, the preferred example Commerce Utility 
System 90 architecture provides a collection of service 
functions that the Rights Operating System may execute as 
applications. These service functions define a variety of 
useful tasks that any and/or all Commerce Utility Systems 
90 may need to perform. These service functions are 
distributable, scaleable and reusable. They can be combined 
in various combinations and sub -combinations — depending 
upon business models, for example — to provide the overall 
functionality desired for any particular Commerce Utility 
System 90 implementation. 

FIG. 17A shows an example overall architecture of a 
Commerce Utility System SO, FIG. 17B shows an example 
of the application architecture of a Commerce Utility 
System, and FIG. 17C shows more detail of a service 
function. 

Referring first to FIG. 17B, in this example the applica- 
tion software architecture for a Commerce Utility System 90 
contains a commerce utility system descriptor 90A. Com- 
merce utility system descriptor 90A contains information 
about the Commerce Utility System 90 that may be used to 
identify such system and its capabilities, as well as to 
describe, aggregate and/or interface with any number of 
service functions 90B(1), 90B(2), .... Commerce utility 
system descriptor 90A and service functions 90B may, for 
example, be implemented using object oriented program- 
ming techniques to help ensure that such descriptor and 
service functions are modular and reusable — as well as 
abstracting the specifics of how actions requested of Com- 
merce Utility System 90 are actually carried out and/or 
implemented. 

Commerce utility system descriptor 90A(1) may also be 
responsible for coordinating the action of service functions 
90B. In this example, descriptor 90A is used to direct 
requests and other system actions to the appropriate service 
functions 90B, and to ensure that actions requiring more 
than one service function are coordinated by reconciling 
differences in interfaces, data types and the like that may 
exist between the service functions 90B — as well as helping 
to direct overall process flow amongst the various service 
functions 90B. A non-exhaustive list of examples of such 
service functions 90B include the following: 

audit, 

maintaining records, 
overseeing processes, 
monitoring status, 
complete process definition, 
process control, 

interfaces) to settlement services, 

funds transfer, 

currency conversion, 

tax calculation and application, 

account creation and identifier assignment, 

payment aggregation, 

payment disaggregation, 

budget pre-authorization, 

status notification, 

confirmation, 

uncompleted events record, 
requirements generation, 
report generation, 



10 



event consequences, 
account reconciliation, 
identity authentication, 
electronic currency creation, 
event database management, 
routing database, 
generating requests, 
replication, 
propagation, 

usage database management, 
bill creation and processing, 
market research, 
negotiation, 

control set database management, 
control set generation, " ■■ -■ 
process control logic, 
event flow generation, 
routing, 
archiving, 

rights and permissions database management, 
template database management, 
commerce management language processing, 
rights management language processing, » 
advertising database management, 
automatic class generation, 
automatic class assignment, 
notary, 

seal generator, 
digital time stamp, 
fingerprint/watermark, 
offers and counteroffers, 
Object registry, 
Object identifier assignment, 
copyright registration, 
control set registry, 
template registry, 
certificate creation, 
revocation list maintenance, 
director database management, 
database query and response processing, 
other service functions. 

FIG. 17C shows more detail of a service function 90B. In 
this example, service function 90B is comprised of a service 
function descriptor 90C, and any number of service appli- 
cation components 90D(1) 90D(2), .... Service function 
descriptor 90C performs a role similar to that of commerce 
utility system descriptor 90 A, except that it acts with respect 
to service function 90B and service application components 
90D. Service function descriptor 90C and service applica- 
tion components 90D may, for example, also be imple- 
mented using object oriented programming techniques to 
60 help ensure that such descriptor and service application 
components are modular and reusable, as well as abstracting 
the specifics of how actions requested of service function 
90B are actually carried out and/or implemented. In this 
example, the service application components 90D imple- 
ment most of the capabilities of the service function 90B by 
carrying out steps of, or subfunctions of, the service function 
90B. 



20 



25 



30 



35 



40 



45 



50 



55 



65 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

37 38 

FIG. 17A shows an example overall Commerce Utility For example, some administrative and/or support func- 

System 90 architecture. The overall architecture shown in tions for performance by commerce utility systems 90 may 

this example is an object oriented system in which the involve use of both application level database functions as 

overall Commerce Utility System 90 is a single object, that well as information protected by a protected processing 

is in turn comprised of reusable service function 90B 5 environment ("PPE") 154 in the preferred embodiment. A 

objects. These service function 90B objects are comprised of specific example of this might be the records of payment by 

reusable service application components (objects) 90D. Any a user of a financial clearinghouse 200. If the operator of 

or all of these objects may make use of the services provided such a fimmcial clearinghouse 200 chose to keep payment 

by a commerce utflity support service layer 90-4, as hist information in an application level database, but 

described m more detail below The preferred embodiment JQ neede(J Monnatkm tected b PPE 154 ^ order t0 accu . 

Commerce Utility System architecture ^ shown is bml account status of a customer, 

upon the Rights Operating System 90-1 described in detail / ... , tU * 

in the GintTr et aL patent specification (see FIG. 12 of ^^ntrng a service application component 90D ^ that 

Ginter, et al., for example). A set of service functions 90B coordinated the information in the ^cation level database 

comprise "applications" executed by the Rights Operating with informaUon protected by PPE 154 and processed by 

System 90-1. There can be any number of service functions 15 service application component 90D^ mto a single object 

90B may significantly simplify the task of using this information 

The object oriented design of the Commerce Utility * ^ context of a given service function 90B (e.g. a 

System 90 architecture shown in FIG. 17A has several ' decision to extend additional credit). Furthermore, this 

desirable attributes. For example, a Commerce Utility Sys- example service application component may be reusable in 

tern 90 may easily add, remove and/or replace service 20 other service functions 90B. 

functions 90B to alter, extend and/or enhance its capabilities. In another example, service application component 90D A 

Similarly, the architecture allows the addition, removal, might serve principally as an application level interface 

and/or replacement of service application components 90D ob J ect t0 a corresponding PPE 154 object 90D B . For 

to permit similar flexibility in the case of service functions. example, if a notary service function 90B requires the 

Furthermore, object oriented design significantly improves 25 application of a digital signature, a service application 

the ease and efficiency of reuse of service functions and/or component 90D* might principally provide an interface that 

service application components in different Commerce Util- transports information to, and receives information from, a 

ity Systems 90, or different service functions 90B (as shown corresponding service application component 90D^ that 

in FIG. 17A); respectively. performs essentially all of the actual work of creating and 

The application layer, which is comprised of service 30 applying a digital signature. In addition, the appucation level 

function layer 90-2 and service application component layer service component 90D^ might provide additional exception 

90-3 (comprising components 90D A ), may be, if desired, handling, protocol conversion, or other functions designed 

supported by a commerce utility support services layer 90-4. to hel P integrate capabilities more easily or in a different 

Commerce utility support services layer 90-4 may provide manner than originally designed for a service function 90B. 

increased efficiency for large numbers of transactions. Such 35 17D -! shows an example correspondence between 

commerce utility support services 90-4 may include, for service functions 90B and general types of useful example 

example: commerce utility systems 90. Example service functions 

session management, 90B ("Audit", "Maintaining Records", . . . ) are shown 

fault tolerance horizontally. These example service functions 90B may be 

40 useful for implementing commerce utility system 90 
memory management, example types ("Financial Clearinghouse", "Usage 
load balancing, Clearinghouse", . . . ) written vertically in the row of boxes 
database bridging, and along me top of ^ diagram . The FIG. 17D-1I diagram is 
other commerce utility support services. nol exhaustive — additional useful commerce utility system 
In this example, service functions 90B are component 4S types are possible and additional service functions 90B are 
based, and may make use of the reusable and component also possible. Indeed, the architecture of Commerce Utility 
based service application components 90D. The service System 90 ensures that both types and service functions 90B 
application components 90D typically perform steps of, or arc extensible as business models or other factors change, 
subfunctions of, service functions 90B. Each service appli- Although certain business needs and models may tend to 
cation component 90D can have either or both of two parts: 50 inspire the use of certain combinations and collections of 
a component 90-B o that need not execute within protected important service functions in almost any implementation, 
processing environment 154; and the Commerce Utility System 90 architecture is inherently 
a secure component 90-B b that needs to execute within flexible — allowing the implementer to freely mix and corn- 
protected processing environment 154. bine a variety of different service functions depending upon 
In this example architecture, there may be a correspon- 55 their needs. For example, it is useful to provide a Commerce 
dence between components 90D o and components 90D 6 . Utility System 90 that functions as a "financial clearing- 
For example, at least one component 90D o may correspond house 200" — providing payment processing, 
with at least one secure component 90D fc . There may be a communications, database management, and other related 
one-to-one correspondence between components 90-D a and service functions. The Commerce Utility System architec- 
components 90D 6 (as indicated in FIG. 17A by common 60 ture can provide such a "financial clearinghouse" — and is 
geometric shapes). In the preferred embodiment, this sepa- also inherently much more generalized and generalizable. 
ration of function permits, when required and/or desired, the For example, a particular Commerce Utility System 90 
interaction between secure processes operating in PPE 154 implementation of a "financial clearinghouse" could also 
and service application components 90D. By using this combine "non-financial" service functions with financial 
architecture, it is easier and more efficient to create service 65 service functions. The particular functions or sets of func- 
functions that implement capabilities requiring both appli- tions that are realized in any given Commerce Utility 
cation level support as well as secure processing. System 90 implementation depend upon the individual 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

39 40 

needs of the implementer — as dictated for example by The various Commerce Utility System 90 interaction 

business model(s) or functions. models shown in FIGS. 17E-1 through 17E-4 are not 

FIG. 17D-2 shows, for example, how the overall func- exhaustive or mutually exclusive — any given transaction or 

tionality of an example "financial clearinghouse" commerce process may include some or all of these in different 

utility system 200 can be constructed from example service 5 combinations based upon business models or other require- 

functions 90B. In this example, the service functions 90B ments. 

surrounded by darker lines are included within the com- As mentioned above, the present inventions provide tech- 

merce utility system descriptor 90a shown in FIG. 17B. FIG. mques f or distributing the operation of a particular service 

17D-2 shows an example usage clearinghouse commerce function 90-2 or service application component 90-3 

utility system 300 constructed based on a different subset of 10 throughout a system 50 or network— including for example 

service functions 90B surrounded by dark lines (shown in to electronic appliances of individual consumers 95. FIG. 

FIG. 17D-1). Comparing FIGS. 17D-2 and 17D-3, one can 17F shows an example of a control set 188 that can be used 

see that some service functions 90B (for example, "audit," to control a remotely located protected processing environ- 

"status notification," "event database management/' etc.) m ent (f or example, a consumer's electronic appliance) to 

may be reused for both financial and usage clearing opera- 15 per f orm a "local" portion of a clearing operation. A Com- 

tions. A combination financial and usage clearinghouse mcrcc Utility System 90 could deliver this control set 188 to 

commerce utility system 90 might use the union of the a consumer's electronic appliance, to another Commerce 

service functions 90B surrounded by dark lines in FIG. utility System 90, or to some other electronic appliance' 

17D-2 and the service functions 90B surrounded by dark (e .g., one that is part of a commumcating infrastructure). The 

lines in FIG. 17D-3. More, less and/or different functionality 20 Commerce Utility System 90 can, for example, delegate part 

can be provided for a particular commerce utility system 90 G f j te clearing authority (implemented, for example, as one 

simply by providing and invoking more, less and/or different or m0 re service functions 90-2, each including one or more 

service functions 90B. service application components 90-3) to a process that can 

Distributing Commerce Utility System 90 be performed within the protected processing environment 

... t\x\ 'y j .« j « 25 154 of a user's electronic appliance. 

The secure application components 90-3 described above Jhc nG 17F , e £ a method 850 (e.g., meter, 

may, .n the preferred embodiment, include or compnse billmg> or budget) wh J AUDrr eve nt 852(1) is processed 

r^ipracal control ^structures and associated rules and meth- an audit method 854. The example meter method 850, for 

ods shown in FIGS. 41A-41D and 48 of the Gmter et al. ; 1 



patent application. These reciprocal control structures can be 



example, might have: 



used to interlink different or the same control sets operating 30 a USE cvent 852 < 2 ) («*- me meter )> 

on the same or different Commerce Utility Systems 90 or an INITIALIZE event 852(1) (e.g., prepare the meter for 
other electronic appliances 100. Hence, each actor can have 

one or more reciprocal relationships with every other a RESET event 852(3) (e.g., restore the meter to a known 

actor — with Commerce Utility System 90 involved in some 35 good state after an error condition), 

role in some of the various actions. an AUDIT event 852(4) (e.g., gather up records generated 

FIGS. 17E-1 through 17E-4 show different examples of during USE events, as well as a copy of the current 

interaction models Commerce Utility System 90 may use to UDE value, and arrange for shipment to the auditors)), 

interact with an ongoing transaction or process based in part a READ USE RECORD event 852(5) (e.g., return a copy 

on these reciprocal control structures: ^ of the requested use record), 

FIG. 17E-1 shows an event intermediation model in a READ UDE event 852(6) (e.g., return a copy of the 

which a Commerce Utility System 90 receives an event current UDE), 

notification 748 from a secure entity (e.g., a first a READ MDE event 852(7) (e.g. that returns a copy of the 

protected processing environment) and generates an requested MDE), and 

event 758 which triggers activities of another (and/or 45 other miscellaneous events. 

the same) secure entity (e.g., a second and/or the first Xhe AUDIT event 852(4), in this example, may be linked 

protected processing environment). to an audit method 854. In order to access the data in this 

FIG. 17E-2 shows a different Commerce Utility System example, the Commerce Utility System 90 might need 

interaction model in which the first secure entity pro- permission in the form of access tags and/or an appropriate 

vides event notification 748 to both a Commerce Utility 50 PERC control set defining more detailed usage, permissions, 

System 90 and another secure entity to perform a step, anc j semantic knowledge of the record format written out by 

but the second entity awaits receipt of an authorization me meter method 850*s USE event 852(2). The semantic 

from Commerce Utility System 90 to proceed before it knowledge could come from an out-of-band agreement (e.g., 

actually performs the next step in the process. a standard), or through access to the MDE (or relevant MDE 

FIG. 17E-3 shows a notification model in which Com- 55 portion) of the meter method 850 that describes the use 

merce Utility System 90 is more of a passive bystander, record format. 

receiving event notifications 748 for purposes of secure The events of audit method 854 would include a USE 

auditing but otherwise not interacting directly with the event 856(2) that performs the functions expected by the 

ongoing process or transaction unless needed to resolve calling method's event — in this case, gathering use records 

exceptions (e.g., an error condition). 60 and a copy of the current UDE, and sending them off. In this 

FIG. 17E-4 shows a prior authorization model in which example, let's assume there is an INTIALIZE event 856(1) 

the Commerce Utility System 90 must issue a notifi- in this method as well. When called, the INITIALIZE event 

cation 748' to one secure entity in response to receipt of 856(1) would be sent internally, and its associated load 

an event notification 748 from that entity before that modules) would call back to the READ MDE event 852(7) 

entity may pass the event notification 748 along to the 65 of the meter method 850 to learn the semantics of the use 

next secure entity to perform the next step in a overall records. Then, the USE event 856(2) would be called and the 

process or transaction. load module(s) 858(2) associated with processing this event 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

41 42 

would call the appropriate events of the meter method 850 As another example, many secure, largely automated 
(e.g., READ USE RECORD repeatedly, and READ UDE administrative and support services may be distributed in 
once). At this point, the expectations of the calling method whole and/or in part to an at least occasionally connected 
have been fulfilled, except for administrative object pack- appliance — regardless of whether that appliance is a 
aging and transmissioa s computer, set top box, personal digital assistant (PDA) 
In order to implement more distributed clearing functions, digital telephone, intelligent digital television, or any other 
the USE event 856(2) may do more processing. For digital appliance. Such appliances can use a protected pro- 
example, while reading in the USE records from the meter, cessi environment to ensure that the support service is 
me audit method 854 may implement analysis mnctions performed ^ reliably> free from tampering and 
e.g., categorizing the types of objects used, and reducing ^ interference (e.g., as described in the Ginter, et al. 
the information reported up the clearing chain to a simple . fi . \ ° 
count of how many times various types of content were pal r em ^^ call0n ;; 

accessed). Records from content types toat are not interest- . Io another exam ? le > one P 0SSlble Y? E °° n * nX dlstribu - 

ing may be discarded The detailed records themselves may ?° n . f^f 10 . evolves content providers performing the 

be discarded after analysis. In another example, the UDE mitial Packaging role, distnbutors performing the distribu- 

values (e.g., how many clicks are recorded) may be com- 15 tion function, users keeping track of usage records, and 

pared to the number of use records retrieved, and if there is clearinghouses processing usage and financial information, 

a discrepancy, they can be reported and/or acted upon locally This is in contrast to a centralized processing model, in 

(e.g., disabling use of the objects from a given provider until which all of these functions are performed by a single 

further interaction). In still another example, records may centralized party. 

have user identity information removed to ensure privacy. In 20 As still another example, efficiency increases can be 

a further example, some use records may be processed and realized by distributing clearinghouse functions across indi- 

analyzed locally (and then discarded), while other detail vidual user machines, local area network (LAN) servers, 

records are saved for later processing. and/or corporate "gateway" machines that bridge the cor- 

Once the distributed clearing functions have been porate LAN/WAN environment with the outside world, and 

performed, the information can be packaged up in one or 25 commercial "backbone" servers. 

more administrative objects for transmission up the clearing As another example, a company's computer might be 

chain to a centralized location. This may involve a direct authorized by a central certificate authority to grant certain 

report to the providers), and/or a report to another clearing kinds of digital certificates. For example, the company might 

function, for example. The processed records may be be a member of a certain trade organization. The trade 

released (for deletion, summary, filing, etc. by the meter 30 organization's certifying authority might give the company 

method) by the audit method 854 when received, processed, a digital certificate attesting to that fact, and delegate to the 

transmitted, or on receipt of a confirmation by the recipients. company's own computer the certifying authority to issue 

In another example using the meter method 850 shown in certificates attesting to the fact that each of the company's 

FIG. 17F, the AUDIT event 854 could be performed "inter- employees is a member of the trade organization. Similarly, 

nally" by the meter method 850. In this example, the use 35 parents may be authorized to issue digital certificates on 

records and UDE would be bundled up in one or more behalf of their offspring. 

administrative objects for transmission to the auditors) by The techniques described above illustrate how the Dis- 

the load modules) 853 associated with the AUDIT event tributed Commerce Utility, through use of the Commerce 

854(4) of the meter method 850. However, rather than Utility System 90 architecture, can be distributed across 

transmitting these objects, they could be processed locally. 40 multiple Commerce Utility Systems. Furthermore, the ser- 

To do this, the name services record used by ROS (see vice functions 90-2 provided by one or more Commerce 

Ginter et al. FIGS. 12 and 13) to find the named auditors) Utility Systems 90 may be decomposed into complete, or 

could be redirected back to the local PPE 154. In the PPE even partial, process steps (e.g., service application compo- 

154, a process controlled by the Commerce Utility System nents 90-2) that are performed in whole or in part on other 

90 can be created (based on methods and/or load modules 45 Commerce Utility Systems 90, or any other system 

delivered on their behalf) to perform the local clearing (including end user systems) selected by the participants in 

functions described above, except using the content of the a given scenario, 
administrative object(s), rather than calls to the meter 

method events. This is more analogous to the function that Example Commerce Utility System Types 

would be performed at a remote clearing facility in the sense 50 . , . 

. . r . - , j • • / « . . Financial Clearinghouse 200 
that the operations are performed on administrative objects 

and their contents — but the processing can instead be done FIG. 18 shows an example of a Financial Clearinghouse 
on the local consumer electronic appliance, on a networked Commerce Utility System 200. "Financial Clearinghouses" 
appliance. support automated, efficient financial fulfillment for elec- 
Distributing support services in this manner provides 55 tronic transactions. For example, financial clearinghouse 
additional capabilities that may not be present or available in 200 may collect payment related information and details, 
a centralized architecture. For example, a rights and pcrmis- and efficiently arrange for the transfer of money and other 
sions clearinghouse could delegate a local server within an compensation to ensure that value providers get paid, 
organization to keep track of requests and to cache copies of including the automated, selective disaggregation of a pay- 
permissions previously requested by the organization. Such 60 ment into payment portions directed to appropriate value 
a local rights and permissions clearinghouse could reduce chain participants. Financial clearinghouses 200 may also 
network traffic and provide a convenient local repository for provide credit, budgets limits, and/or electronic currency to 
organization-specific permissions (e.g., site licenses for participant (e.g., end-user) protected processing 
computer software). The local rights and permissions server environments, wherein the financial clearinghouse may have 
could be authorized by rights holders or a rights and per- 65 distributed some of its operations to such protected process- 
missioning agency or other rights distribution organization ing environments for secure, local performance of such 
to grant licenses on a request basis. operations. The following are some example financial clear- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



43 



44 



10 



15 



ing support functions that can be provided through the use 
of the present inventions: 

Clearing of financial transactions in a secure, efficient, 
timely and accurate manner. 

Providing secure financial clearing on payment mecha- 
nisms that are trusted by, and convenient for value 
providers and users/consumers. 

Assuring payment to rights holders and other value chain 
participants (for example, providers who supply value 
to the electronic community in some part of the process 
from creation, to distribution, to sale, and to delivery) 
without requiring them to take on the task of managing 
a large number of financial interfaces with widely 
dispersed customers and/or a variety of often complex 
financial services standards and protocols. 

Allowing content consumers to pay for information goods 
- and associated services using a variety of different 
payment vehicles via a common, trust able interface. 

Allowing each party involved in a transaction to verify 20 
that a given exchange has occurred as it was mutually 
intended, and to preclude repudiation of the transaction 
by any party. 

Reconciling accounts at time of purchase or usage report- 
ing (e.g., transferring funds from a value chain partici- 
pant account to one or more provider accounts). 

Supporting frequent and granular transaction clearing 
activities. 

Providing financial clearing services to all value chain 
participants (e.g., buyers, distributors and sellers of 
digital content of all kinds as well as buyers, 
distributors, and sellers of physical goods and user of 
other services). 

Interfacing distributed electronic commerce domains with 
existing electronic, paper and/or other payment and/or 
clearing services, including but not limited to credit 
card systems, bank debit card systems, smart card 
systems, electronic data interchange, automatic 
clearinghouses, digital money, etc. 

The effecting, by one or more banks and/or other 
organizations, of settlement and reconciliation and/or 
interfacing directly with entities who may legally per- 
form settlement services. 

The effecting of the creation of, and assigning of, iden- 
tifying labels, numbers, names or other unique 
identifiers, by one or more banks and/or other organi- 
zations to digital process and/or digital information 
creators, information distributions and/or modifiers, 
and/or customer and/or other user accounts for funds, 
credits and debits. 

Using secure containers in any step, part, or process of 
providing secure financial clearing services. 

Controlling secure financial clearing processes based, at 
least in part, on rules and controls stipulating the 
distribution of processes to be performed at each pro- 
tected processing environment of a distributed financial 
clearinghouse systems, e.g., clearing performed by the 
user protected processing environments, web servers, 
centralized clearing facilities. 

Efficiently and securely handling conversions from one 
currency to another. 

Enabling payment fulfillment on provision of other con- 
sideration including service fees, product fees and/or 
any other fees or charges based at least in part on 
content, process control, and/or rights management use. 



25 



30 



35 



40 



45 



50 



55 



60 



65 



Supporting wide use of micro-fees and micro-payments at 
least in part based on content, process control, and/or 
other usage transactions, wherein said support may 
include the distributed, secure accumulation and/or 
processing of micro-transaction activity and the peri- 
odic passing of information related to such activity 
through a clearinghouse network for further processing 
and/or accumulation. 

Efficiently measuring and managing micro-payment 
activity while minimizing transaction overhead. 

Minimizing latency in micro-payment transaction han- 
dling. 

Aggregating or "bundling" transactions against local 
value store or other payment vehicles (methods). 

Employing value chain rules and controls and chain of 
handling and control for efficiently administrating the 
disaggregation (splitting apart) of- payments, including 
the assignment or transfer to different value chain 
providers of payments based on the same or differing 
electronic control sets controlling usage and/or other 
permissions (e.g., securely controlling payment conse- 
quences through the parsing of payment amounts 
among various value chain parties as required by rules 
and controls before specific payment methods are acti- 
vated. 

Reducing (e.g., minimizing) the number of electronic 
messages required to support a given set of electronic 
transactions through, for example, distributed transac- 
tion processing and/or transaction activity accumula- 
tion. 

Supporting local aggregation (bundling or combining 
together) of multiple payments or micro-payments at a 
value chain participant's site. 

Allowing value providers (e.g., value chain participants) 
to efficiently check another value chain participant's 
ability to pay before providing services or goods 
(physical and/or electronic) on credit 

Allowing value providers to authorize an appropriate 
level of funding for estimated purchase levels on a 
value chain participant's preferred payment vehicle, 
including, for example, allowing the provision of bud- 
gets for credit and/or currency that can be expended 
towards all and/or only certain classes of transactions 
(e.g., content and/or process control types) including, 
for example, budgets for disbursement for expressly 
specified categories of expenditures such as only G and 
PG movies. 

Providing verification of the identity of a potential value 
chain participant and binding of that identity to the 
value chain participant's selected payment vehicle(s). 

Providing periodic reporting of transaction activity for 
clearinghouse reconciliation and recordation purposes. 
Performing auditing, billing, payment fulfillment and/ 
or other consideration and/or other clearing activities. 

Providing event driven reporting based, for example, on 
time, place, depletion of local funds, and/or class of 
disbursement activity such as purpose (for business, 
entertainment, travel, household expense), family 
member or other individual or group identity, category 
of content or other goods and/or services acquired, 
and/or category any of type of disbursement activity 

Receiving authority from secure chain of handling and 
control embodied in electronic control sets. 

Granting authority and/or providing services to, and/or in 
conjunction with, one or more distributed financial 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



45 



46 



clearinghouses that arc some combination of subordi- 
nate to, and/or have peer-to-peer relationships with, one 
or more of said clearinghouses. 
Distributing financial clearing functions across a network 
or other system (for example, every consumer or other 
value chain participant node can perform distributed 
financial clearing services and wherein said participant 
node may communicate financial clearing information 
directly to one or more other participants) and in 
accordance with rules and controls and other VDE 
techniques as described in the Ginter, et al patent 
specification. 

Granting authority and/or providing services to, or in 
conjunction with, one or more financial sub- 
clearinghouses whose operations may be located logi- 
cally and/or physically elsewhere, such as within a 
company or government agency and/or within one or 
. more jurisdictions and/or serving subsets of the overall 
business focus area of a senior financial clearinghouse. 

Distributing and/or otherwise authorizing financial clear- 
ing functions across a system or network, for example, 
where every consumer and/or certain or all other value 
chain participant nodes can potentially support a dis- 
tributed usage clearing service initiating its own, secure 
financial clearing transactions and function in the con- 
text of the overall clearinghouse network including 
clearinghouse interoperation with one or more other 
participant, interoperable nodes, and as elsewhere in 
this list, all activities employing VDE techniques as 
appropriate. 

Efficiently calculating, collecting, and dispersing sales 
and 'Value added taxes" imposed by at least one 
jurisdiction. 

Supporting a web of financial clearinghouses in which 
one or more classes (groups) of clearinghouse have 
interoperable, peer-to-peer relationships and in which, 
differing groups may have differing rights to interop- 
erate with members of other groups, for example finan- 
cial clearinghouses on end-user protected processing 
environments may have limited rights to inter-operate 
with "primary" financial clearinghouses. 

Supporting a web of clearinghouse protected processing 
environments in which such protected processing envi- 
ronments comprise discreet "banks" or banking pro- 
tected processing environments, and where such pro- 
tected processing environments can employ VDE 
capabilities to securely govern and perform banking 
functions such as the secure storage (locally and/or 
remotely) of notational currency, the right to "lend" 
stored currency to end-user and/or other clearinghouse 
protected processing environments, the right to launch 
electronic currency objects, the right to fulfill payment 
from local or remote currency store(s), the ability to 
receive communications representing obligations to 
pay (e.g., electronic bills), the ability to fulfill such 
payments, and the ability to operate as a component 
banking "branch" of one or more virtual bank(s) (or 
banking network(s)) wherein such bank performs many 
of the roles currently performed by conventional banks. 

Supporting the ability for financial clearinghouses to 
create electronic currency that is conditionally anony- 
mous and where such currency may be employed in the 
fulfillment of payment obligations and where such 
currency is treated as authentic without the requirement 
that a receiving party connect after such receipt with a 
remote banking authority for assessing that the cur- 
rency is valid or authorized for use. 



10 



20 



30 



35 



40 



45 



50 



55 



60 



Supporting the ability for distributed clearinghouse pro- 
tected processing environments to operate — in conjunction 
with one or more capabilities described above— on portable 
devices such as smart cards (e.g., electronic wallets, etc.) 
where cellular or land-line communication means (or other 
transport mechanisms) support on-line or asynchronous 
communication of information related to a current or an 
plural transactions such as billing or other audit information 
regarding commerce activity including identification, for 
example, of purchasers, sellers, and/or distributors, and 
authorization information, budget information, credit 
provision, currency provision, and/or disbursement 
information, etc. related to such activity. 
Supporting the provision of discounts, subsidies and/or 
coupons to value chain participants, for example to 
consumer users, in exchange for usage data or more 
finely grained usage data (for example, ameliorating 

privacy concerns in some contexts): - » * • « 

May be organized hierarchically, peer-to-peer, or in a 
combined mode where responsibility for financial 
clearing may be distributed in differing fashions for 
differing commerce models and/or activities and/or 
value chains and where certain one or more parties may 
be, for example, hierarchically more senior to other 
parties in one or more instances and hierarchically a 
peer or less senior in one or more other instances. 
The relationship among participants is programmable and 
may be set (and later modified) to represent one or more 
desired financial clearing arrangements for given com- 
merce activities, value chains, or models. 
Distributing payments to plural parties, including, for 
example, taxes to one or more governments (e.g., city, 
state, and federal). 
FIG. 18 shows an example function oriented diagram for 
financial clearinghouse 200. In this example, financial clear- 
inghouse 200 is highly automated, and operates in a trusted, 
secure domain to provide a protected processing environ- 
ment. It efficiently provides financial clearing services to all 
kinds of electronic commerce chains. It can also serve as a 
gateway between the highly secure virtual distribution envi- 
ronment (VDE) domain and other domains — providing pro- 
tocol support for the existing infrastructure. The gateway 
functions can allow the highly flexible and distributed VDE 
protected processing environments to exploit the inflexible 
and centralized, but ubiquitous and trusted, existing financial 
infrastructure services. 

The core functions of financial clearinghouse 200 relate to 
payment processing 208, payment aggregation 212, pay- 
ment disaggregation 214, and micro-payment management 
216 — since these functions collect money from customers 
and other value chain participants, and pay money to value 
chain service or product providers such as merchants. 

In more detail, financial clearinghouse 200 may perform 
the following functions in this example: 
payment processing 208, 
credit checks 210, 
payment aggregation 212, 
payment disaggregation 214, 
micro-payment handling 216, 
event driven reporting 218, 
reconciliation 220, 

database maintenance/management 222, 
replication 224, and 
propagation 226. 

Financial clearinghouse 200 may receive payment infor- 
mation 202, customer information 230, provider information 



01/11/2004, EAST Version: 1.4.1 



US 6# 

47 

232, and aggregated reports and bills 234 from the outside 
world. It may generate debit orders 236, credit orders 238, 
statements and reports 204, 240, release signals 242, and 
credit checks and authorizations 244. 

Database management 222 and event driven reporting 218 
may be used to securely provide accurate financial reports to 
value chain participants. Reconciliation function 220 — 
which is related to both reporting and financial 
management — allows financial clearinghouse 200 to pro- 
vide more reliable financial management. Replication func- 
tion 224 and propagation function 226 are used by financial 
clearinghouse 200 to facilitate distributed processing with 
other financial clearinghouses 200 and/or other secure or 
insecure protected processing environments, permitting the 
financial clearinghouse to securely share state and update 
information with other Commerce Utility Systems or other 
participants. 

In the example shown, "the payment information 202 
(which may arrive in one or more secure containers 152) is 
the primary input to payment processing block 208. If 
desired, payment information 202 can also include some or 
all of the usage information sent to a usage clearinghouse 
300 — or it may include different types of usage information 
more relevant to financial auditing and transaction tracking. 
This payment information 202 can arrive in real time or on 
a delayed (e.g., periodic or other event-driven) basis. 

Financial clearinghouse 200 uses provider information 
232 and customer information 230 to effect funds transfers 
between customers and providers. Financial clearinghouse 
200 uses aggregated reports and bills 234 to guide the 
overall payment processing 208 as well as payment aggre- 
gation 212 and payment disaggregation 214. For example, 
financial clearinghouse 200 may issue debit and credit 
orders 236, 238 to third party financial parties such as banks, 
credit card companies, etc., to effect debiting of consumer 
accounts and corresponding crediting of provider accounts. 
Financial clearinghouse 200 may issue statements 204 and 
reports 240 for secure auditing and/or informational pur- 
poses. Financial clearinghouse 200 may issue credit autho- 
rizations 244 after performing credit checks 210, thereby 
extending credit to appropriate value chain participants. 
Such authentication 244 may include an input/output 
function, unless they are performed entirely locally (i.e., an 
authorization request comes in, and clearinghouse 200 is the 
source of credit and/or credit limit information). 

Financial clearinghouse 200 may issue release signals 242 
in appropriate circumstances to allow electronic appliances 
100 to stop maintaining and/or keep "pending" financial 
information after it has been transferred, analyzed and/or 
processed by financial clearinghouse 200. In one example, 
the user appliance 100 may, within business model 
limitations, store the financial information even after it is 
"released," reduce it to a summary, etc. Of course, it may 
have already done this with a copy of the data (e.g., if 
previously allowed to access it). For example, suppose the 
local copy of financial usage information contains confiden- 
tial business model information. A property might cost $1.00 
to view, and that dollar may be split among several parties. 
Normally, the user is only aware of the overall bottom line, 
not the details of the split — even though a record may exist 
locally for each of the participants in the transaction. 

FIG. 19 shows an example architectural diagram for 
financial clearinghouse 200. Financial clearinghouse 200 in 
this example includes a secure communications handler 246, 
a transaction processor 248, a database manager 250, a 
switch 252, and one or more interface blocks 244. This 
example financial clearinghouse architecture may be based, 



>8,568 Bl 

48 

for example, on the operating system architecture shown in 
FIG. 12 and 13 of the Ginter et al. patent specification 
(general purpose external services manager 172 in that 
example could support settlement service interfaces 254 for 

5 example). Secure communications handler 246 allows finan- 
cial clearinghouse 200 to communicate securely with other 
electronic appliances 100(1) . . . 100(N)- Such communica- 
tions may be by way of secure digital containers 152. It is 
desirable for most Commerce Utility Systems 90 (including 

10 financial clearinghouse 200) to support both real time and 
asynchronous receipt of containers 152. In addition, finan- 
cial clearinghouse 90 may also support a real time connec- 
tion protocol that does not require containers 152 for simple 
transactions such as making a credit card payment that 

15 doesn't have disaggregation requirements. The advantage to 
using a real time connection is real time results. This may be 
beneficial in circumstances where users need more money or 
. credit because they have run out (rather than simply making 
a report or receiving a periodic replenishment of a budget 

20 that has not been exhausted), and also when a provider (e.g., 
of content or budget) insists on clearing a transaction before 
allowing whatever activity initiated the transaction to go 
forward. 

A connection for a real time transaction doesn't always 

25 require secure containers 152, but using containers 152 even 
in this scenario has advantages. For example, containers 152 
permit attachment of rules and controls to the contents, 
allowing users to specify how the contents may be used. In 
addition, use of containers 152 leverages existing capabili- 

30 ties in the protected processing environment. Using a tech- 
nique such as electronic mail to deliver containers 152 (e.g., 
as attachments to SMTP mail messages, or as attachments to 
any other e-mail protocol that supports attachments) permits 
asynchronous processing of contents, thereby allowing 

35 Commerce Utility Systems 90 to smooth out their peak 
processing loads. A cost of operating a commercial clear- 
inghouse is the depreciation expense of the equipment. The 
amount of equipment is principally driven by the peak load 
requirement. One can expect a significant variance in load 

40 (for example, compare Friday night at 8 pm versus Tuesday 
morning at 3 am). Smoothing out this function can lead to 
quite considerable savings in equipment and related costs 
(electricity, personnel, maintenance, etc.) 
Transaction processor 248 may process and analyze 

45 received information, and database manager 250 may store 
received information in a database for later analysis and/or 
for historical analysis (to increase credit limits, analyze 
payment histories, etc.) In addition, database manager 250 
may also store information associated with existing credit 

50 limits, addresses for communications (physical and/or 
electronic), and other account information. For example, the 
Ginter et al. patent specification discusses budget encum- 
brances. The database manager 250 may be used to store 
information used to track encumbrances as well. There may 

55 also be sets of security information used to communicate 
with protected processing environments and/or users 
employing the protected processing environments, and the 
settlement services. Records associated with communica- 
tions with the settlement services may also be stored there as 

60 well. The database 250 may also be outfitted with various 
reporting facilities related to its contents. 

Transaction processor 248 and database manager 250 
together perform most of the functions shown in FIG. 18. 
Switch 252 is used to route information to and from interface 

65 blocks 244. Interface blocks 244 are used to communicate 
with third party settlement services, such as credit card 
companies, Automatic Clearing House (ACH) systems for 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

49 50 

bank settlements, debit card accounts, etc. Optionally, the Financial processor 260 may send a statement 204 to 

internal settlement services provided by a Federal Reserve provider 164 (and/or to consumer 95) detailing the financial 

Bank 256 may be used in lieu of or in addition to the third debits and payments that have occurred. It may provide 

party settlement services shown to provide settlement of statement 204 within a secure container (not shown) if 

accounts in accordance with prevailing banking arrange- 5 desired. Financial clearinghouse 200 may receive a portion 

ments and legal requirements. The payment mechanisms or p erccn tagc of the debited finds to compensate it for the 

used by financial clearinghouse 200 may be symmetrical financial clearing services it has provided, 

(e.g., tell VISA to charge consumer A's charge account and ™™ ™ * »_ i a -it* 

credit vendor Y's account) or asymmetrical (e.g., tell VISA . ™ 20A-20F show an example financial clearing activ- 

to debit consumer A's charge account and provide the in ity usmg a local electronic money pur^262 mamtamed a 

money to the financial clearinghouse which will credit 10 * e consumer s electronic^ appliance 100. In this example, 

vendor Y's account using some other payment mechanism) financial clearinghouse 200 may initially provide consumer 

as allowed by applicable financial and banking regulations. 1W) with electronic money in the form of electronic cash by 

. " ~ transmitting the electronic cash within one or more secure 

Example Financial Clearing Processes containers 152. Financial clearinghouse 200 may automati- 

FIG. 20 shows an example financial clearinghouse pro- 15 C ally debit the consumer's bank 206fl or other account to 

cess. In this example, a provider 164 provides goods, obtain these funds, and may do so at the consumer's request 

services or content to a consumer 95. For example, provider ^ e y\G. 20A). 

164 may provide one or more' digital properties 1029 and t, ~T* * "Vn« " " * r * 

. J j i aha i * • ♦ . The consumer s electronic appliance 100 upon receiving 

associated controls 404 within an electronic secure container . - , , \f t , „u- , ^ • 

1 «-> a „^*^t~A ^™;r™™«» ic4 at 100 electronic funds may deposit them within an electronic 

152. A secure protected processing environment 154 at tne 20 , . . r . iL . . 4 . t , 

c „ Q( - JL^v „c ™a cash purse 262 it maintains within its protected processing 

consumer 95 site keeps track or payment, usage and other . r ^ , «*»t^t-« I ^ + 

information, and may provide an audit trail 228 specifying 'P™" T ^ , "\ ■ t£ 

this information. Audit trail 228 may be transmitted from the » L > <*• P; J** cus *»" r s electr0MC a PP hance "° 

site of consumer 95 to financial clearinghouse 200 within "'^ ' hls loca,1 y stored electromc money to pay for 

one or more secure containers 1526. Audit trail 220 might 25 ■ ood » *** services consumed by the consumer For 

include, for example, the identification of the reporting a Pf 1 ^ 1 68 m ^ pro ^* ™* 166 ' * a 

electronic appliance 100; the amount of payment; provider bjx)k, film, te^on program, or the like, o the consumer s 

identification; the consumer's desired payment method; the elcctIonlc aPP'^ by transmitting it within one or more 

name or other identification of the electronic appliance user, J**" containers 152*. Tie consumer may operate his or 

and the type(s) of traasactionCs) involved. The time and/or 3 o her ek ( Ctonic appliance 100 to open the container and 

frequency of reporting might be based on a number of »cc^ the work 166 aUowmg the consumer to use the work 

different events such as for example, the time of day, week, m the manMT specified by ^ assoc,ated electron » c controls 

month, year or other time interval; the occurrence of some ' see 

related or unrelated event (e.g., pre-approval for a purchase Assuming that the rights owner requires payment in return 

is required, a certain number of purchases have taken place, 3S for of tbc work 166 « consumer's electronic appli- 

a local electronic puise has been exhausted of funds, report- ^ce 100 may automatically debit electronic purse 262 by 

ing is necessary for some other reason, etc.); or a combina- amoual of payment required (in this case $5) (FIG. 20C). 

tion of these Additionally, electronic appliance 100 may automatically 

Financial clearinghouse 200 analyzes the audit trail 228, S enerate a record 264 ^cording this usage event, 

and generates one or more summary reports 240. Financial 40 Based on time and { or ° ,h " ™ Dt occurrence, the consum- 

clearingbouse 200 may provide the summary report 240 to er s . elec ^ appliance 100 may automatically send an 

P rovideTl64bytransmittmgitelectronicaUywithinasecure audit trad 264-^rhich may comprise a package of audit 

container 152c. Financial clearinghouse 200 may also coor- records transmitted at audit time or set of related records 

dinate with a financial intermediary 258 and one or more s ' ored m «•* » database-(or a summary of it to protect 

financial processors 260 to effect a debiting of a bank or 45 * e <?nsumer s pnvacy)-to financial clearmghouse 200 m 

other account owned by consumer 95 and corresponding J" J*™ of one or electronic contamers 152c (see FIG. 

crediting of a bank or other account owned by provider 164. 2UD). 

For example, the financial clearinghouse 200 may receive Upon receiving the usage record 262 and successfully 
the audit information, disaggregate the transactions (into storm g 11 Wlthm lts own data ^ase 250, financial clearing- 
value chain amounts for creators, distributors, and others; as 50 housc 200 ma y 800(1 a rclease 242 ^in m electronic 
well as for tax authorities and other governmental entities), container 152<* (see FIG. 20D). TTiis release signal 242 may 
and then calculate an amount due it from each of the allow the consumer's electronic appliance 100 to delete the 
transaction beneficiaries. Then, if desired or necessary (due ™*& record 264 il had Previously maintained (see FIG. 
to the size of the transactions, per transaction fees, or other 20D). 

efficiency and/or cost considerations), the transactions may 55 The consumer may use the same or different work 166 

be rolled up into lump sums for each of the parties, and again to prompt generation of an additional usage record 

submitted to a financial intermediary 258 (along with appro- 264' and to decrement the electronic purse 262 by another 

priate account information) that is responsible for perform- usage charge (in this case exhausting the purse's contents) 

ing credit card transactions. The financial intermediary 258 (see FIG. 20E). Exhaustion of electronic purse 262 may 

(who may also charge a fee or take a percentage) may then 60 prompt the consumer's electronic appliance 100 to again 

cause transactions to occur at the financial processor 260 contact, financial clearinghouse 200 to request additional 

such that the beneficiaries each receive the appropriate funds (see request 228*) and to also provide usage record 

amounts. Alternatively, if the financial clearinghouse 200 264' (both pieces of information are transmitted within the 

has the ability and authorizations necessary to submit credit same electronic container 152e in this example) (see FIG. 

card transactions directly to credit card companies, it may 65 20F). 

cause the transactions to occur directly with the financial Financial clearinghouse 200 may respond by transmitting 

processor 260 (e.g., Visa). additional electronic funds (after debiting the consumer's 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

51 52 

bank or other account), and may also provide another release mark up (for example) that it will receive for the use of its 

signal allowing the consumer's electronic appliance ICO to brand name, distributing and marketing services, 

delete usage record 264' (see FIG. 20F). The money col- pjc. 22A shows a detailed example of how payment 

lected may be paid to the rights holders (after any appro- disaggregation can be performed within the customer's 

priate reductions to compensate Commerce Utility Systems 5 protected processing environment 154 using control sets 188 

90). as described in the Ginter et al patent disclosure. Ginter et 

al. teaches, in FIG. 48 and associated text, how a control set 

Payment Disaggregation caQ implement and control an ove rall metering, billing and 

FIG. 21 shows an example financial clearing activity budgeting process within a user's protected processing envi- 

involving value chain "disaggregation." Financial clearing- 10 ronment 154. FIG. 22 A illustrates payment disaggregation 

house 200 in this example efficiently, reliably and securely based on one or more control sets 188 provided to a 

supports payment disaggregation within a value chain. FIG. consumer's protected processing environment 154. Each of 

21 shows a content creator, such as an author, delivering a the processing blocks shown in FIG. 22Amay be in response 

work 166 to a publisher 168. The publisher publishes the to a user request (event) to open and access content, 

work (for example, within an electronic book 166 ) and 15 Id this particular example, a metering method 275 is 

delivers it to a consumer 95. In this example, the consumer designed to pass an event to billing method 277 whenever 
95 pays $20 for his copy of the book 166\ The. consumer's . the consumer first uses a particular piece of content, (meter 

payment is "disaggregated" or split up between the author event 275 could also or alternatively pass the event along 

164 and the publisher 168 based, for example, upon a each time the consumer uses the content to provide a "pay 

contractual agreement. In this example, the publisher 20 per view" functionality if desired). 

receives four of the consumer's $20 and the author receives jh e billing methods 277 include two different billing 

me resl - methods 277a and 277b in this example. Methods 277a, 

Disaggregation allows financial clearinghouse 200 to 277ft can be independently deliverable — for example, the 

automatically split up a consumers' payment among any author 164 could deliver billing sub-method 277a, and the 

number of different value chain participants. This is publisher 168 could deliver billing sub-method 2776. Billing 

extremely useful in ensuring that all contributors to a method 277a writes information to a billing trail data 

product or service can reliably and efficiently receive com- structure specifying how much the author 164 is to be paid 

pensation for their respective contributions. ($16 in this example). Billing method 2776 writes informa- 

FIG. 22 shows how financial clearinghouse 200 can 30 tion to the same or different billing trail data structure 

support the value chain disaggregation shown in FIG. 21. In specifying how much the publisher is to be paid ($4). Billing 

the FIG. 22 electronic example, the customer 95 may deliver methods 277a, 2776 may each receive the open event passed 

his payment electronically to financial clearinghouse 200. along by meter method 275, and may each write billing 

This payment may be in the form of electronic currency records to the same (or different) billing trail data structure, 

packaged within a secure electronic container 152a, or it 35 In this example, a budget method 279 may be delivered 

might be in some other form (e.g., reported usage infbrma- independently of the billing methods 277a, 2776. Budget 

tion coupled with a preexisting authorization for financial method 279 may write records to a budget trail data structure 

clearinghouse 200 to debit the bank account of customer 95). 281 specifying (among other things) the payment disaggre- 

Financial clearinghouse 200 may distribute appropriate gation arrangement (i.e., the $16/$4 split between author and 

shares of the customer's payment to author 164 and pub- 40 publisher) specified by the billing methods 277a, 2776. The 

Usher 168 in accordance with the agreement between the budget trail data structure 281 (which is maintained inde- 

author and the publisher. What tells financial clearinghouse pendently from the data structures maintained by billing 

200 who should receive the disaggregated parts of the methods 277a, 2776 and therefore cannot be compromised 

payment? In this FIG. 22 example, the work 166 may pass by the author 164 and/or the publisher 168) might be sent to 

from the author 164 to the publisher 168 and from the 45 a financial clearinghouse 200. The financial clearinghouse 

publisher 168 to customer 95 in electronic form within one 200 would perform payment and debit financial clearing as 

or more secure electronic containers 152. One or more described above to result in the consumer's account being 

electronic control sets 188 may be included within the same debited by $20, the author's account being credited by $16 

or different containers, these control sets being associated and the publisher's account being credited by $4 (thus 

with the work 166 or other property. Control sets 188 may 50 disaggregating the user's $20 payment between the author 

specify, among other things, the amount of payment cus- 164 and the publisher 168). Meanwhile, the billing trail data 

tomer 95 must supply in order to be able to use the work 166. structure could be sent to a usage clearinghouse 300 speci- 

Controls 188 may also specify and control how the fied DV me author and/or the publisher 168. Usage 

customer's payment will be disaggregated among the other clearinghouse 300 could analyze the billing trail data struc- 

value chain participants. For example, author 164 may 55 ture and let author 164 and/or publisher 168 know what 

specify within controls 188b the author provides, that she is payments they might expect to receive from the financial 

to receive $16 for each copy of work 166 purchased by an clearinghouse 200. 

ultimate consumer 95. Because of the secure chain of Thus, in this example, electronic control sets 188 may 
handling and control provided in accordance with the virtual specify or define, among other things: (i) rights available in 
distribution environment (see the Ginter et al. patent 60 a particular digital object, (ii) the cost of exercising such 
disclosure), author 164 can be confident (to the degree rights, and (in) how payments for exercising rights will be 
required by the commercial priorities of the author and divided (disaggregated) among rightsholders. This ability to 
allowed by the strength of the overall system) that publisher define payment disaggregation in advance (before custom- 
168, customer 95 and any other consumers or potential users ers' payment methods and arrangements are activated) pro- 
of property 166 will be subject to this control 1886. The 65 vides a high degree of efficiency and flexibility — since it can 
publisher 168 may add its own controls to the one specified use the consumers' payment method, for example, to auto- 
by author 164, the publisher controls 188c providing a $4 matically direct parts of the consumers' payment to appro- 



01/11/2004, EAST Version: 1.4.1 



US 6,658. 

53 

priate people who need to be compensated. Since the same 
electronic appliance 100 that is being used to exercise the 
rights is also being used to help direct payments to various 
different value chain participants, a portion of the overall 
financial clearing process is effectively distributed through- 5 
out a large number of parallel computing resources. Because 
of the high degree of trustedness that can be provided by the 
system disclosed in the Ginter et ah patent specification, for 
example, rightsholders can release such control sets 188 into 
the stream of commerce with an appropriate that their 
payment arrangements will be carried out. Financial clear- 
inghouse 200 can help to ensure that such disaggregated 
payments efficiently and rapidly reach their required desti- 
nations. 

A protected processing environment 154 at the site of 15 
customer 95 securely enforces the augmented controls 188c, 
requiring total payment and/or payment authorization from 
the customer 95 before, allowing the customer to access 
work 166. Controls 188c may also specify which financial 
clearinghouse 200 is to be used to handle payment 2Q 
processing, and what payment methods are acceptable while 
still giving customer 95 flexibility in terms of choosing a 
desired payment method. The customer's protected process- 
ing environment 154c may then automatically send appro- 
priate payment or payment authorization 190a to financial M 
clearinghouse 200 for disaggregation in accordance with 
controls 188a — which may be the same controls (or a subset 
of those controls relating to payment disaggregation) speci- 
fied by the author and/or the publisher. 

Because the customer's protected processing environment 30 
154c generates controls 188a subject to the controls 188c, 
1886 specified by the publisher and author (see FIG. 22), 
these payment controls 188a can be trusted to carry out the 
payment wishes of the author and the publisher and to reflect 
the payment dividing agreement between the two of them. 35 
The customer's protected processing environment 154c may 
send the customer's payment or payment authorization 152a 
and these payment controls 188a to financial clearinghouse 
200 within one or more secure electronic containers 152a. 

Financial clearinghouse 200 processes the payment or 40 
payment authorization 152a in accordance with controls 
188a, distributing payment 1526 to the publisher and pay- 
ment 152c to the author in accordance with the payment 
dividing agreement reached between the author and the 
publisher. Thus, for example, financial clearinghouse 200 45 
might send $4 of electronic money to the publisher and $16 
of electronic money to the author; or it might credit the bank 
or other accounts of the author and publisher in these 
amounts. Because this entire process takes place in a secure, 
trusted virtual distribution environment, each of the value 50 
chain participants can trust that they will in fact receive the 
payment they require and the process can be carried on 
automatically and electronically in a very efficient way that 
flexibly accommodates a wide variety of different business 
models and ad hoc relationships. 55 

FIG. 23 shows a further, somewhat more complex pay- 
ment disaggregation example that adds a content distributor 
or aggregator 170 to the value chain. In this example, the 
consumer 95 's $20 may now need to be split three ways 
instead of two, with the author 164 still receiving $16, the 60 
publisher receiving only $3 and the content distributor/ 
aggregator 170 receiving $1 for his or her efforts. FIG. 24 
shows that the same basic arrangement shown in FIG. 22 can 
be used to accommodate the payment and other interests of 
this new value chain participant. 65 

FIG. 25 shows a further payment disaggregation example. 
FIG. 25 shows how disaggregation can be used to compen- 



,568 Bl 

54 

sate Commerce Utility Systems 90 for their role in main- 
taining and managing the value chain. As described above, 
the Distributed Commerce Utility 75 provides very impor- 
tant services, such as financial clearing, usage auditing, 
permissioning, certification, etc. Entire businesses or indus- 
tries may be based on efficiently and reliably providing these 
kinds of administrative and support services. Commerce 
Utility Systems need to be compensated for their own 
investments and efforts. One way for them to be compen- 
sated is to receive a small part of every transaction — "a piece 
of the tick." The same payment disaggregation mechanisms 
described above can also be used to support such micropay- 
ments to Commerce Utility Systems 90. FIG. 23 shows one 
example in which the Commerce Utility Systems 90 receive 
3% (e.g., $0.60 in the example shown) of the value of each 
transaction. Because electronic control sets 188 discussed 
above can be used to implement such micro-payment 
capabilities, any desired business arrangement or objective*, 
can be flexibly and efficiently accommodated. 

FIG. 26 shows that payment disaggregation can be used 
to disaggregate or split up a single consumer payment into 
an arbitrary number of different amounts (even recording 
amounts in different types of currencies for international 
trading purposes) at a variety of different destinations and 
using a variety of different payment mechanisms (e.g., credit 
cards, bank accounts, electronic money, etc.). 

FIGS. 27 and 28 show still additional payment disaggre- 
gation examples to further illustrate the flexibility in which 
Distributed Commerce Utility 75 can handle these and other 
arrangements. The FIG. 27 example shows the customer's 
payment being split up among the author 164, the publisher 
168, the aggregator 170, a repackager 174 and two addi- 
tional authors 164a, 164b supplying additional works incor- 
porated within the electronic property being provided to the 
customer. The FIG. 27 example is particularly applicable, 
for example, where the repackager 174 takes content from 
several sources on related matters and combines them into 
mixed source products such as multimedia combinations, 
"current awareness" packages, or newsletter-like publica- 
tions for sale to interested parties. 

For example, repackager 174 might publish a newsletter 
on contemporary politics, and select an essay written by 
author 164 for publication along with two other works 
written by authors 164a, 1646 for publication in the next 
newsletter issue. Authors 164, 164a and 1646 may grant 
repackager 174 the right to reformat and redistribute the 
work. Taking advantage of this reformatting right, repack- 
ager 174 may create the latest issue of the newsletter and 
distribute it in a secure electronic container for reading by 
customer 95. In this example, the secure electronic container 
152a may contain at least four separately "delivered" sets of 
business requirements— one for each of the three works (as 
specified by each of author 164, author 164a and author 
1646) and one for the overall newsletter (as specified by 
repackager 174). Alternatively, the various works and/or the 
controls applying to them can be sent and delivered in 
independent secure containers 152, and/or some or all of the 
works and/or controls may be located remotely. 

To read the newsletter, customer 95 opens electronic 
container 152a. Suppose that the newsletter cost (as set by 
repackager 174) is $10 per issue. The customer's $10 
payment or payment authorization is sent to financial clear- 
inghouse 200, which resolves it to give each value chain 
participant compensation (for example, author 164 may get 
$1, publisher 168 may get $1, aggregator 170 may get $0.50, 
each additional author 164a, 1646 may each get $1 and the 
repackager 174 may get the rest — all as directed by the 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

55 56 

applicable electronic controls. Thus, the repackager can be be flexibly provided so that the consumer might have the 

compensated for selecting appropriate articles on the topic option of paying a larger initial fee for unlimited usage or 

and combining them in a single, easy to read publication, smaller micropayments on a per use basis. In addition, 

and may also bring its own brand name recognition as an micropayments may be the least burdensome and most 

indicator of overall quality, and may itself add unique 5 practical way for Commerce Utility Systems 90 to be 

content of its own creation. compensated for their services. The ability to efficiently 

- 0 , u • tf i^t handle micropayments is thus very important in terms of 

FIG 28 shows a "superdistnbution example. One key s ^ J d ^ nablin small cha ^ GS v 

r^ts hoWer concern is copyright mfrmgement from pass- £ aditional fiaancial paymerjt onanisms, such as credit 

aiong-'-tnat is, illegal duplication ana reaistnoution. inis checks ^ ^ ^ 

are unsuited to manage micro- 

pass-along problem is senous m digUal envuooments such 10 a te .™ temst ically have levels of transaction 

as the Internet Tie virtual dis ribution environment «te- ^ sevefe burdens Qn business models 

closed in the Outer etal. patent specification and the based Qn ma £ bases Mqw $5 each Fof j tf 

admmistrauve and support services arrangements d^losed ^ ^ > ^ a it becomes 

m this specification fundamentaUy transform pass-along UDecoQomjcal to hand]e payments for less than some value, 

from a clear threat to an important opportunity. Because of « ps $2 each because the cost of handling the payment is 

the unique, automated se^re electromc management of * * i(m f transactioD vaUle * ore ven exceeds 

value chain nghts provided by the vulual distnbut.on .envj- ^ . tf Hence, traditional-financial payment 

ronment m the preferred embodiment the consumer can be mec _, amsms favor t base5 md dis£avor micr0 . 

treated as a trusted member of the value chain. This makes urchases 

possible a superdistribution model in which all customers 20 ' , , • , ... 

become potential distributors. Since revenue from superd- . ? , shoWS how Pf 5 ? 601 a 88 rc g atl ° Q ° r b "f dhn 8 

fatributbb incurs only minimal rights holder costs, superi- be "f d to . ? r ^ mv 1 e ° t ^ , conce " ls b * *! 

istribution provides large profit potentials to holders of of fi ° ancial ™***°<* «*f to >» 

rights in successful works. clea ? d : and { or "? reducm 8 . the a ™ ount of i messa 8 in g 

. . . «... 15 required to clear those transactions. The example payment 

Looking at FIG. 28, assume that customer 95 received a aggregalion sbown in na 2 9 may be performed on the 

work from aggregator 170 that she likes so much that she C0DSU mer's own electronic appliance 100 within a protected 

wants to pass it along to several friends and colleagues. processing environment 154; or at a centralized financial 

Assuming that aggregator 170 has granted customer 95 the clearingnolL5e 2 ©0; or part of it can be performed at the 

right to redistribute the work, the customer may simply and appliancc and part of it performed at the centralized clear- 

easdy be able to send a copy of the work to each of any j^^. -j^ mmcat aggr e g ation process can aggregate 

number of ; additional potential customers 95(1) . . 95(N)- 0 r combine many small payments together into larger 

These additional people may know customer 95 and believe pavments ^ r into a bundle of small payments that can be 

that she would not be sending them something that was not handkd aU a , once Such ])u ^ t payments aD(J/or bund ies 

potentially interesting and of high quality. In addition, the can ^ ^ veikjMaf along ^th other transaction 

downstream customers may be able to read an abstract or see data tf desifed tQ ^ ^^td and recorded by Distributed 

extracts of the work (e.g., view a trader of a film, read the vmy 75 ^ abi]ity to aggregate smaUer 

first chapter of a novel, or the like) without triggering paylnents bas beneficial effects in terms of 

payment. increasing efficiency, reducing the number of individual 

After reading the abstract or watching the first five ^ transactions that need to be cleared, and decreasing mes- 
minutes of the film without cost, suppose six of the down- saging traffic over electronic network 150. Of course, pay- 
stream customers 95(3)-95(8) agree to pay for the content at mcat aggregation is not necessarily suitable for every trans- 
an example cost of $3.25 each. Financial clearinghouse 200 action (some large, critical or risky transactions may require 
may ensure that the author 164, publisher 168 and aggre- rea i time clearing, for example), but can be used in a large 
gator 170 each receive an appropriate share of the income 45 number of routine transactions to reduce the burdens on 
(e.g., $7 to the author, $7 to the publisher and $8.75 to the Commerce Utility Systems 90 and overall system 50. 
aggregator). In one variation on this concept, payment aggregation 

Superdistribution makes possible any number of levels of may preserve the amounts of each individual transaction to 

redistribution. For example, suppose that of the six down- allow high degree of reporting granularity but may be used 

stream customers 95(3)-95(8), three of them decide to pass 50 to trigger when reporting occurs (e.g., after X dollars have 

the work along to each of six additional potential been charged, or Y number of transactions have occurred) so 

customers — so that eighteen additional people receive a that many individual transactions can be bundled and 

copy. Since the redistributed works have associated control transmitted/processed together. This type of aggregation is 

structures mandating the same payment arrangement, author useful for reducing the number and frequency of individual 

164, publisher 168 and aggregator 170 each receive addi- 55 messages traveling over electronic network 150. In such 

tional payments from each of these new customers. The instances, the reporting electronic appliance 100 may report: 

snowballing effect of redistribution can continue in this (i) the sum of the aggregated individual transactions, or (ii) 

manner across any number of consumers for a long time, and each of the individual transactions, or (iii) both, or (iv) a 

can dramatically increase revenue with minimal additional combination of the two. 

cost to the value chain members. 60 fig. 29 shows that a consumer may use his or her 

_ , _ ... electronic appliance 100 for a number of different activities, 

Payment Aggregation or Bundling such ^ fof examp , e> readiQg a QOvel> watcbing , vkJeo 

Micro-fees and micropayments may become an important program, obtaining and reviewing research results, interact - 

basis for content usage transactions. For example, a con- ing with and enjoying multimedia presentations, and home 

sumer might pay each time she views a particular work or 65 financial management such as checkbook balancing. A per 

uses a certain piece of computer software, or listens to a use micro-payment may be associated with each of these 

certain piece of music. Different payment arrangements can activities. For example, the consumer might pay $1 to a 



01/11/2004, EAST Version: 1.4.1 



US 6,6! 

57 

publisher A and $1.50 to an author A each time the consumer 
accesses an electronic version of a work written by the 
author and distributed by the publisher. Suppose that the 
author A's works have become so popular that they have 
been made into films. The consumer might pay on a per-use 
basis to watch one of these films — paying the publisher A 
$5, the author A $3 and Distributed Commerce Utility 75 
$0.50. 

Payment aggregators 266 (which may, if desired, operate 
at the consumer's site within the protected processing envi- 
ronment 154 provided by the consumer's electronic appli- 
ance 100) may aggregate payments to common entities, 
keeping a running total of the amount of money owed to 
publisher A, the amount of money owed to author A, and the 
amount of money owed to the Distributed Commerce Utility 
75. This running total can be incremented each time the 
consumer triggers an additional payment event. The aggre- 
gated payment amounts can be periodically or otherwise 
reported to financial clearinghouse 200 or other Commerce 
Utility Systems 90 based on certain time intervals (for 
example, weekly, monthly, or daily), the occurrence of 
certain events (for example, the consumer has exceeded her 
credit authorization and needs a new one, certain electronic 
controls have expired, etc.), and/or a hybrid of any or all of 
these techniques. 

FIG. 30 shows another example of payment aggregation 
across a number of consumer transactions. In this example, 
payments to the same value chain participants and using the 
same payment method are aggregated together to provide 
totals. This payment aggregation — which may take place at 
the consumer's site and/or within a financial 
clearinghouse — reduces the number of overall financial 
transactions that need to be cleared. This increases efficiency 
and throughput, and decreases the cost for handling each 
individual consumer transaction. 

FIG. 31 shows a still additional payment aggregation 
example in which aggregation is performed over transac- 
tions of a number of different consumers. For example, all 
transactions using a particular payment method pertaining to 
a particular provider could be aggregated by a financial 
clearinghouse 200. Note that the payment aggregation tech- 
niques shown in FIGS. 29-31 do not necessarily result in 
loss of individual transaction detail In other words, it is still 
possible for consumer electronic appliances 100 to log and 
report detailed per- transaction information, and for financial 
clearinghouse 200 and/or the usage clearinghouse 300 to 
report detailed usage information on a transaction-by- 
transaction basis — even though individual transaction pay- 
ments are being combined for more efficient payment pro- 
cessing and handling. This ability to separately handle and 
process more detailed and granular usage information while 
at the same time aggregating payments can provide a high 
level of auditing accountability without unduly burdening 
the payment handling mechanism. In some cases, loss of the 
detail records leads to savings on the clearinghouse side. 
They may be discarded, but there are advantages to keeping 
them around on the user's system and/or in a repository on 
a Commerce Utility System 90. If there is a billing dispute, 
for example, the local copy of the detail records might serve 
as useful evidence of what actually occurred— even if they 
were never transmitted to the clearinghouse. 

FIG. 32 shows how an example financial clearinghouse 
200 might be modified to include a payment aggregator 
component 268. 

Payment aggregator 268 could be used to aggregate 
payments incoming from a number of different consumer 



58,568 Bl 

58 

electronic appliances 100 or other sources, and provide 
those aggregated payments to switch 200 for handling via 
third party settlement services, for example. Payment aggre- 
gator 268 could selectively aggregate only certain payments 

5 while permitting other payments to pass through directly to 
switch 200 for direct handling without aggregation. Payment 
aggregation can be based on a number of different factors. 
For example, payments can be aggregated based on 
consumer, provider, payment method, or a combination of 

10 any or all of these factors. This aggregation function can be 
performed entirely or in part within consumer 95 electronic 
appliances, or it could be performed centrally by a central- 
ized clearinghouse 200. 

is Usage Clearinghouse 300 

FIG. 13 shows an example usage clearinghouse Com- 
merce Utility. System 300. Usage clearinghouses services, 
and functions, in general, may collect, analyze and "repur- 
pose" detailed, summary, and/or derived usage information 
about the use and/or execution of digital properties and/or 
digital processes. This information may include any infor- 
mation descriptive of electronic transaction activity. Usage 
clearinghouses and/or support services may, for example, 
2S provide and/or facilitate the following: 

Independent auditing and reporting (which may be pre- 
sented independently of financial settlement clearing 
services); 
General market researching; 
30 Negotiating, implementing, determining, and communi- 
cating levels of privacy and confidentiality with cus- 
tomers and value chain participants regarding such 
usage information; and 
Mass customized marketing and consolidated list selling, 
35 renting, or licensing. 

In more detail, usage clearing services in accordance with 
the present inventions may provide, for example, any com- 
bination of the following detailed features and/or functions: 
Compiling, aggregating, using, deriving and/or providing 
40 information descriptive of and/or otherwise relating to, 
use of a secure containers), secure container contents, 
and/or any other content and/or any digital control 
processes), wherein such information describes and/or 
otherwise relates to (a) one or more users of content 
H$ and/or processes, (b) one or more classes of content, 
control processes, uses of content, and/or users, and/or 
(c) one or more recipients of such usage information. 
Enabling tracking and reporting of content and/or process 
50 control usage and/or processing information at a highly 
granular (e.g., detailed) level. 
Can collect, aggregate, analyze, summarize, extract, 
report, distribute, rent, license, and/or sell, usage infor- 
mation. 

55 Employing information derived from user exposure to 
content, such as advertising, information materials, 
entertainment, training materials, business productivity 
software applications, etc., and securely supplying at 
least a portion of such derived information and/or 

60 related to such information, through the use of VDE 
mechanisms in the preferred embodiment, to usage 
information aggregating and/or analyzing 
clearinghouses, and where such clearinghouse securely 
provides at least a portion of said usage information, or 

65 information derived from said information to at lest one 
further clearinghouse and/or value chain rightsholder; 
and wherein said clearinghouse may securely provide 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



59 



60 



differing derived usage information to different other 
parties who have a clearinghouse role or other right- 
sholder role. 

Using the "information exhaust" audit trails created by, 
and/or derived from, user protected processing envi- 
ronment metering based on a variety of different tech- 
niques (for example those disclosed in Ginter, et al.). 

Ability to collect and analyze detailed usage information 
such as the number of times a digital property or any 
portion of a property has been opened, extracted from, 
embedded into, or executed; or the length of time a 
value chain participant has used a property such as an 
interactive game or multimedia presentation, computer 
software, or modules or subparts of such products. 

Providing a variety of repurposing capabilities for usage 
information arriving from consumers or other secure 
protected processing environments. 

Providing independent thud party auditing capabilities 
useful, for example, for archiving and non-repudiation. 

Providing information based upon usage auditing, user 
profiling and/or market surveying related to use of one 
or more secure containers and/or content and/or VDE 
managed process control in the preferred embodiment. 

Providing neutral, trusted third-party audit usage aggre- 
gating and reporting services for rights holders, 
consumers, and/or other value chain participants and/or 
interested parties such as governmental bodies 
(information for taxation, law enforcement, commer- 
cial surveying and statistics, etc.). 

Providing audit opportunities in conjunction with rules 
and controls rights and permissions clearing (for 
example, to provide a report about which rules and 
controls permissions and rights, were exercised, for 
example by whom, for what, and when — thereby tying 
actual user activity back to specific permissioning and 
rights and/or rules and controls templates). 

Id the preferred embodiment, providing standardized and 
custom reporting and analyzing based upon VDE rules 
and controls and produced and delivered in VDE con- 
tainers to each and/or any one or more grouping of 
content creators, content distributors, industry analysts, 
trade associations, and any other stakeholders and 
value chain participants, and/or any other interested 
parties such as government statisticians, regulators, 
and/or taxation authorities. 

Providing any combination of raw, refined, summarized, 
derived, and aggregated trusted data reporting for the 
support of plural business models within any value 
chain, and/or across and/or plural value chains. 

Distributing, to value chain participants and other parties 
within or outside of the electronic community, usage 
information separately from and/or with financial 
settlement clearing services. 

Supporting privacy and confidentiality controls fully pro- 
tecting rights of all value chain participants interests 
related to usage information, including, for example, 
rights inherent in VDE chain of handling and control 
managed business models. 

Can accommodate privacy concerns, e.g., to not reveal 
more information than a consumer or value chain 
content distributor, aggregator, repurposer, or other 
user of an electronic device that employs, in the pre- 
ferred embodiment, VDE for secure, managed content 
or other process control, authorizes, and, for example, 
to inform such authorizing user of what kind of infor- 
mation is being gathered and/or cleared). 



10 



15 



20 



30 



35 



40 



45 



50 



55 



60 



65 



Can be trusted to automatically, based at least in part upon 
rules and controls, conceal (e.g., encrypt), remove, 
and/or transform one or more portions of confidential 
or proprietary usage information before further pro- 
cessing of such information or delivering of such 
information to any one or more additional parties, 
including any further usage clearinghouse^), thereby 
efficiently protecting privacy and confidentiality, 
including protecting business trade secret information. 

Protecting key business model information from prying 
eyes of other interested parties, and/or from inadvertent 
disclosure to other interested parties and/or to the 
public, thereby laying the foundation for truly trusted, 
commercial networks. 

Allowing value chain participants, including, for 
example, commercial publishers and distributors, and/ 
or consumers and service and/or product provider 
organizations, to negotiate the. level of detail of usage 
information to be conveyed to any given value chain 
rightsholders, and wherein such level of detail may 
differ according to who the specific receiving parties 
are and the specific type and/or subtype of usage 
information, and where plural, differing levels of detail 
for differing portions of such usage information may be 
provided to a given usage information receiver and/or 
as a given deliverable, and where such determination of 
detail is, at least in part, determined by the rights of a 
given party at least in part described by VDE rules and 
controls information in the preferred embodiment. 

Allowing consumers and organizations to negotiate the 
level of detail of information conveyed to value chain 
rightsholders. 

Allowing consumers or other value chain participants — 
creators, publishers, distributors, repurposers — to 
specify and/or negotiate the level(s) of detail, aggrega- 
tion and/or anonymity they desire with respect to usage 
information regarding their usage of any given piece of 
content, content class, specific process, process class, 
and/or payment requirement (e.g., anonymity, and/or 
the maintenance of privacy related to some or all usage 
details, may require a payment premium to offset the 
loss of the value of such information). 

Allowing information consumers and/or other value chain 
participants to customize their "information exhaust" 
and to set rules and controls for how they wish to have 
their usage information aggregated, or otherwise 
used — subject to the competing requirements of right- 
sholders to receive information they are entitled to 
and/or receive information that user and rightsholders 
mutually, electronically agree may be provided to right- 
sholders. Users and/or one or more rightsholders may 
have the right to specify limits upon (e.g., use VDE 
chain of handling and control), and/or describe specific 
usage information that may or must be to be delivered 
to, one or more other rightsholders. 

Supporting substantial value chain participant control 
over what kind of value chain participant usage infor- 
mation is accumulated, who can access which infor- 
mation and how such information may be used, how 
such information is gathered and processed, and the 
extent that usage records are tied to a specific value 
chain participant or organization. 

Securely using containers (e.g., using VDE secure con- 
tainers in combination with VDE protected processing 
environment and communications security capabilities 
as described in Ginter, et al.) in any step, part, and/or 
process of providing secure usage clearing services. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



61 



62 



Supporting providing discounts, subsidies and/or coupons 
to value chain participants, for example to consumers, 
distributors, repurposers, etc., in exchange for usage 
data or more finely grained usage data (for example, 
ameliorating privacy concerns in some contexts). 

Generating and supplying to interested parties marketing 
research and reporting and consolidated marketing lists 
(for targeted mailing, direct sales, and other forms of 
targeted marketing. Such materials are generally analo- 
gous to independent magazine and newspaper circula- 
tion audits, television audience ratings reports, and/or 
commercial targeted marketing lists, but generating in 
a highly efficient, distributed, and secure electronic 
environment Such materials, when desired, can be 
provided with important new forms of detail (e.g., 
viewing, printing, extracting, reusing, electronically 
saving, redistributing, etc.), with far greater granularity 
of information, and with customized, selective report- 
ing of materials based upon recipients requested 
payments, rights, and/or conflicts of interest with one or 
more parties who have a rightsholder's interest in one 
or more portions of the underlying information. 

Using detailed usage information to automatically gener- 
ate classification hierarchies, schemes, groups, and/or 
classes, and automatically assigning individuals, 
groups of individuals, organizations, groups of 
organizations, digital and/or analog content or groups 
of digital and/or analog content to one or more classes 
derived from usage data created, collected, transmitted, 
in conjunction with at least one secure container and/or 
VDE in the preferred embodiment. 

Supporting advertising and marketing, including support- 
ing efficient value chain automation of the delivery of 
such services, such as automatic targeting or delivery of 
advertising and/or other marketing materials to defined 
sets (e.g., one or more classes) of consumers, 
professionals, employees and companies, in which the 
sets may be defined by self-selection, usage data, usage 
data profiles, or by any other means, and wherein said 
sets may be comprised of any one or more value chain 
participants (e.g., creators, consumers, distributors, ser- 
vice providers, web sites, distributed clearinghouses) 
and wherein said one or more participants may receive 
differing, customized materials, and wherein said 
receiving participants may redistribute such materials, 
if authorized by rules and controls, and where such 
participants may receive credit, coupons, monetary 
payment, and/or other forms of consideration for such 
redistribution, and where such redistribution may take 
the form of directing some or all of such received 
materials to one or more other parties at least in part 
based upon self-selection, usage data, usage data 
profiles, or by any other means, and wherein all such 
processes may be securely managed (e.g., supported) 
by interned al VDE chain of handling and control in the 
preferred embodiment. 

Determining payments and/or other consideration due to 
rights holders from advertisers based on value chain 
user exposure to advertising and at least in part, 
securely automating the distribution of portions of such 
consideration among plural parties having rightsholder 
interests related to the content and/or processes that 
served as a basis for determining such consideration. 

Supporting superior, targeted market segmentation and 
the design of more suitable information products and 
business models based on direct, more specific and 



10 



15 



20 



30 



35 



40 



50 



55 



60 



65 



detailed usage data and on customer and value chain 
preferences implied, explicit, and/or automatically 
derived from usage information, user profiles, class(s) 
identification information, etc. 
Enabling "private" usage clearinghouses (a usage clear- 
inghouse controlled and/or operated by an 
organization) to acquire certain detailed usage infor- 
mation and where such usage clearinghouses may 
perform usage analysis and/or other processing of such 
information and provide to more centralized and/or 
other party clearinghouses and/or other value chain 
participants, selectively limited usage information 
(e.g., employing higher level abstractions, summary 
information, restrictions on and/or manner of use of 
usage information — viewing, printing, saving, 
redistributing, etc.) for some or all of such usage 
information, and where differing limitations on such 
usage information may be applied to usage information 
derived from usage of differing classes of content, 
processes, users, and/or user groups, and where such 
limitation capabilities provide important additional 
protection of the confidential trade secret information 
of a company or other organization by concealing the 
detailed nature of certain internal activities, and where 
there may be a requirement by one or more other parties 
in a value chain for payment and/or other consideration 
in return for the retention of such detailed usage 
information. 

Enabling organizations to employ private usage data 
clearinghouses on corporate Intranets, where such 
clearinghouses are integrated with organization docu- 
ment workflow and/or data warehousing systems. 

Receiving, with private usage organization (e.g., 
corporation, government agency, partnership, or any 
other organized operating entity) clearinghouses, usage 
data from electronic appliances within the organization, 
S and aggregating records into detailed reports for 
internal use, and/or reporting raw, detailed data for 
internal use, but only aggregating usage data into 
summary reports for external distribution, for example, 
to rights holders and/or other value chain participants, 
and/or one or more commercial clearinghouses, and 
where detailed data for internal use is, in the preferred 
embodiment, protected as VDE protected content and 
access or other use of such content is limited to 
specified parties and/or in specified ways based, at least 
in part, on the specified parties securely maintained 
electronic identity, including, for example, any relevant 
party class identification information (e.g., member of 
a certain research group, senior executive officer) that 
has associated specific information usage privileges. 

Identifying and supplying, through private usage 
clearinghouses, usage related information providing 
important value usage data for allocating internal orga- 
nization resources, directing research, and other impor- 
tant business purposes. 

Distributing usage clearing (e.g., for efficiency and/or 
other reasons). 

Distributing usage clearing functions across a network or 
other system (for example, every consumer and/or 
other value chain participant node is potentially a 
distributed usage clearing service at least in part initi- 
ating its own, secure usage clearing, and where such 
participant node may communicate usage information 
direcdy to one or more other participants) and, in the 
preferred embodiment, in accordance with rules and 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

63 64 

controls and other VDE techniques as described in the clearinghouse 300, the real time requirement may involve 

G inter, et al patent specification. advertising or ratings information that loses some or all of its 

Hierarchically organizing usage clearinghouses, at least in value & a function of time (e.g., if certain ratings informa- 

part to protect confidentiality at each level in the tion isn't deUvered by a particular time, it may no longer be 

hierarchy. 5 relevant in a given market analysis; or if advertisers don't 

Granting authority and/or providing services to, or in receive usage information promptly, they may not be able to 

conjunction with, one or more distributed usage sub- res P° nd t0 ""J 0 ™ 45165 M ' effectl VC W Anothe . r case ma * 

clearinghouses whose operations may be located logi- mvolve * re< J u,red dehvey of usage ^formation (e.g a user 

cally and/or physically elsewhere, such as within a on va ? * on retums '° fi ° d ^"f aud,t date and ¥ &<x 

company or government agency and/or within one or 10 P en ° d ha f a ° d tbeU T ° f ^ m prOP ? " 

more jurisdictions and/or serving subsets of the overall ***** un,u *» "** * Performed). The asynchronous 

. . r c 1 • u delivery case would still be preferable in some instances for 

business focus area of a senior usage clearinghouse. , ; ^ . . 7T 1 

^. . , , , T . , the same reasons as above m connection with financial 

Distributing and/or otherwise authorizing usage clearing clearinghouse 200 

functions across a system or network, for example, 1S Data collection 314 ^ ^ to gather usage 

where every consumer and/or certain or all other value rccords m [u addition tQ Qthcr t of information> ^ 

chain participant protected processing environment ^ ^ afld 18g (which may provide i n f ormat ion 

(node) can potentially support a distributed usage clear- -caaamtogfro* and permissions, for example), 'financial ' 

mg service, ^dmnction in ithe context of the overall statements 2 40a, detailed financial reports 240/>, and 

Distributed Commerce Utility. 2Q requests for usage information and/or analysis 336. Data 

Initiating its own, secure usage clearing transactions collection function 314 may closely interact with database 

directly with one or more other participants. management function 316— resulting in various types of 

Providing interoperable operation with one or more other information being stored and maintained in a usage or other 

participant interoperable nodes, using any or all activi- database. Replication and propagation functions 330, 332 

ties employing Virtual Distribution Environment tech- 25 may be used to synchronize the contents of database 316 

niques. with other databases (for example, maintained by other 

Use of clearinghouse to generate usage information used, vszgz clearinghouses 300) and/or to provide a distributed 

at least in part, in the design and/or marketing of database across a number of secure network protected 

products and/or services related to the products and/or processing environments or electronic appliances, 

services whose usage is described by such usage infer- 30 Data aggregation 324 and analysis 328 may be used to 

mation. analyze the contents of data collected by data collection 

May be organized hierarchically, peer-to-peer, or in a 314 a " d/or database 316 '* al,b ^ 

combined mode where responsibility for usage clearing usa B e .clearinghouse 300 to perform auditing 320 and/or 

may be distributed in differing fashions for differing ^portrng 322. Privacy control 318 may be used in conjunc- 

commercemodelsand/oractivitiesand/orvaluechains, 35 b ° n mth rc ^^ function 322 to expose only certain 

and where certain one or more parties may be, for "if°nnation and not others to third parties-thcreby protect- 

example, hierarchically more senior to other parties in »* P™ 5 * *°f wnfiAaitiiliJy concerns of consumers 

, „, „ ,„j i,- ,„„.!,• n„ , _A, „, .„ for whom usage information has been collected. Such pend- 

one or more instances, and hierarchically a peer or less . _, ° . , . . . . , .*, ., 
senior in one or more other instances, that is, the m S CODtro1 316 ™ b * ; expressed in rules ^ associated with the 
relationship among participants is programmable and 40 «m™ « which the information arrived, 
may be set (and later modified) to represent one or more Reporting function 322 may generate a variety of usage 
desired usage clearing arrangements for given com- audltm S re P orts 304 ^ clearinghouse 300 
merce activities, value chains, or models. may be used to provide ar^ertising and/or marketmg support 
FIG. 33 shows an example usage clearinghouse 300 from 326 ( c *- to tel P target adverusmg to demographically 
a process point of view. Usage clearinghouse 300 in this 45 *PP*>pnate consumers and/or to provide market and adver- 
example collects, analyzes and reports on the usage of ^ rcsearc 1 h )' ^ in °° c «™P k ; 
digital information including, but not limited to, the usage of 300 ma * P roducc and/o f distnbutc advertising 340 for 
digital content Usage clearinghouse 300 in this example bv certom targeted consumers or dehver such 
performs the following functions: advertising on behalf of others. Usage clearmghouse 300 
. 50 may also generate customized responses 342 in response to 
Data collection 314, information requests 336, and can also generate release 
Database management 316, signals 344 authorizing electronic appliances 100 to delete 
Privacy control 318, and/or make "no longer pending" the usage information 
Secure auditing 320, from local databases once associated audit records have 
Secure reporting 322, 55 Deen transferred to usage clearinghouse 300 and that transfer 
Data acereeation 324 has been confirmed. Consumer 95 may have an interest in 
83 ' keeping rather than deleting this usage information after it 
Advertising and marketmg 326, has been "released" (e.g., as a matter of curiosity, to monitor 
Usage analysis 328, olners ' behavior (employees, children, etc.)) 
Replication 330, and 60 Usage clearinghouse 300 may generate its own controls 
Propagation 332. 1886 to, for example, govern how usage information, market 
Communication between usage clearinghouse 300 and analysis information or other information can be used by 
other electronic appliances 100 may be by way of secure others. For example, usage clearinghouse 300 might be 
electronic containers 152, if desired. As explained in more prepare a proprietary report or analysis that it provides to 
detail in connection with financial clearinghouse 200, usage 65 third parties in return for compensation. Usage clearing- 
clearinghouse 300 may receive the containers in real time house 300 may insist that the people that they provide the 
and/or on an asynchronous receipt basis. In the usage report to do not redistribute the report to anyone eke. Usage 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 
65 66 

clearinghouse 300 may enforce this requirement electro ni- virtual distribution environment described in the above- 

cally by delivering the report within one or more electronic. referenced Ginter et al. patent disclosure, provider 164 can 

containers 152, and associating electronic controls 1886 be confident that the required audit trails will be generated 

with the report. These electronic controls 1886 could enforce and reported as he or she instructs. As consumers 95 use the 

the "no redistribute" prohibition along with other conditions 5 property 166, their electronic appliances 100 automatically 

grants and/or limitations (e.g., the report can't be modified, g^er and store the usage information in the form of audit 

the report can be printed and viewed, the report may be trails 302. Then, upon the occurrence of a specified event 

excerpted, etc.). ( e S> once a montn > once a week, after a certain number of 

As mentioned above, usage clearinghouse 300 may also uses, etc.), the consumer electronic appliances 100 send 

receive financial statements 240a and/or detailed financial 10 audit trail information 302 within digital containers to usage 

records 2406 or other financial information — and may gen- clearinghouse 300. 

erate its own financial statements 240c and/or detailed Usage clearinghouse 300 collects the audit trail informa- 

financial records 240*/. For example, the usage clearing- non 302 » ma y store it in its database 316, and analyzes the 

house 300 might provide a service to content providers in audit trail information to generate a report 304 which it may 

which the usage clearinghouse 300 receives controls 188a is send to provider 164 within a further electronic container 

from content providers similar to the controls delivered to 132* 

consumers 95. Based on a comparison of these data, usage Provider 164 automatically receives secure information 

clearingnoiise'300 might make estimates as to the amounts ' auditing the amount his or her work has been used and how 

of money that the content providers should expect to receive il ha s been used, with usage clearinghouse 300 relieving the 

from financial clearinghouses 200. Usage clearinghouse 300 20 provider from having to collect or analyze this detailed 

might thus provide an independent audit function — serving usage information. In addition, usage clearinghouse 300 

as a double check on financial clearinghouses 200 and may serve to protect the privacy of consumers 95 by 

providing a fraud detection function (e.g., people submitting revealing only summary details authorized by them (for 

usage records that don't have associated payments or oth- example, how many consumers have used the work 166 but 

erwise incorrect payment amounts may be detected by the is not their names or addresses). This confidentiality function 

usage clearinghouse 300). In addition, the control 188 might would be more difficult or problematic if provider 164 

represent closed models that content providers are coosid- attempted to analyzed detailed usage records himself or 

ering implementing, and usage clearinghouse 300 might herself. 

then offer a service in which it runs a comparison against the ™ G 36 shows a more detailed example usage clearing 

usage data it actually collects to build a model of what the 30 process involving two different usage clearinghouses 300 

financial results might look like if the content provider (1), 300(2). In this example, a provider 164 delivers a work 

actually instituted the proposed model. * ^ directly to consumers 95, and also to distributors 168 

FIG. 34 shows an example architecture of usage clear- that may redistribute the work to the consumers. The con- 

inghouse 300. In this example, usage clearinghouse 300 trols 188 associated with the distributed content 166 may 

includes a secure communications facility 346, a database 35 specify that usage clearinghouse 300(1) is to collect and 

and transaction processor 348, an authenticator 350, an analyze information relating to the usage of the content 166 

authorization checker 352 and a data aggregator 354. Usage directly distributed by creator 164, and that another usage 

clearinghouse 300 architecture may be based on the rights clearinghouse 300(2) is to collect and analyze usage infor- 

operating system architecture shown in FIGS. 12 and 13 of ma tion pertaining to the usage of the work 166 as distributed 

the Ginter et al. patent disclosure. 40 D Y distributor 168. Alternatively, usage clearinghouses 300 

Secure communications 346 provides communications C0> 300(2) may gather different types of usage information 

with a variety of electronic appliances 100 over electronic pertaining to the same electronic property 166 (for example, 

network 150 via secure containers 152 in this example. one usage clearinghouse might gather information pertain- 

Database and transaction processor 348 in this example m g to "P a Y P er view " usage, whereas the other usage 

performs most of the FIG. 33 functions. An authenticator 45 clearinghouse might gather usage information for all one- 

350 may be used to authenticate consumers and/or data, an time purchases). Usage clearinghouses 300(1), 300(2) may 

authorization checker 352 may be used to check each issue reports 304 to creator 164 and/or distributor 168 

authorizations, and a data aggregator 354 may be used to and/or consumer 95. 

perform the data aggregation function 324. Authenticator FIG. 37 shows how a usage clearinghouse 300 can be 

350 and authorization checker 352 perform authentication 50 used in combination with a financial clearinghouse 200. In 

functions as described in the Ginter et al. disclosure in ^is example, a consumer's electronic appliance 100 may 

connection with secure electronic appliances and protected send: 

processing environments. to usage clearinghouse 300, audit trail information 302 

FIG. 35 shows an example overall usage clearing process. pertaining to usage of electronic content, and 

In this example, a provider 164 provides a digital property 55 to financial clearinghouse 200, usage and payment audit 

to consumers 95(1), 95(2), 95(3). For example, provider 164 trial information 228 pertaining to financial clearing 

might provide a novel or other work 166 to each of the activities. 

consumers 95 within electronic containers 152. One or more If desired, usage clearinghouse 300 and financial clear- 
control sets 188 may be associated with the work 166 (and inghouse 200 may be operated by the same business (in this 
may, in one example, be delivered within the same electronic 60 case, both usage and financial audit trail information could 
container 152 used to deliver the work 166). The controls be sent within the same electronic container 152). The usage 
188 may specify that certain types of usage information clearing functions performed by usage clearinghouse 300 
must be gathered in the form of an audit trail, and that the may operate in parallel with the financial clearing functions 
audit trail must be reported based on certain time and/or performed by financial clearinghouse 200 to support both 
other events. 65 detailed usage reporting and efficient financial clearing. 

Because container 152 can only be opened within a secure FIG. 38 shows another example usage clearing operation 

protected processing environment 154 that is part of the based on media and/or advertising content placement. Con- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



67 



68 



sumers 95(1), 95(2), 95(N) may subscribe to various infor- 
mation distribution services 170A, 170B, .... These 
information distribution services 170 may distribute pro- 
gram material and advertisements (commercial content) 
produced by content providers 164. Consumers 95 consume 
the distributed content, and their electronic appliances 100 
gather and report associated usage data to usage clearing- 
houses 300(1), 300(2) .... 

The usage clearinghouses 300 may perform demographic 
analysis on the received usage data and, based on this 
demographic analysis, target particular ads for other com- 
mercial content 164 to particular information services 170. 
For example, information service 170A might distribute 
program material and commercial content 164 of interest to 
runners and others with physical fitness interests. Usage 
clearinghouse 300(1) might analyze the usage data provided 
by the consumers 95 who subscribe to and view this type of 
• information. Usage clearinghouse 300(1) is thus in -a unique 
position to place ads in other commercial and non- 
commercial content that might be of interest to the same 
interest group. Similarly, information service 170B might 
specialize in broadcasting information of interest to car 
enthusiasts. Usage clearinghouse 300(2) may gather usage 
data about the usage of this type of information — and is thus 
in a unique and well placed position to distribute and target 
advertisements, commercial and non-commercial content to 
this group of consumers. 

FIG. 39 shows an additional example usage clearing 
operation that may be performed by usage clearinghouse 
300. In this example, usage clearing house 300 may be 
authorized by rights holders 164 to offer discounts based on 
uie amount of usage information a consumer 95 is willing to 
disclose. This can, for example, be done with controls 188 
for the property by selecting from among control sets and/or 
entering into an electronic negotiation (see Ginter et al. 
FIGS. 76A and B). A rights holder might premeditate this as 
a general rule for their property — or given rights and per- 
missions clearinghouses 400 could be authorized to deliver 
these. control sets (e.g. based on their special position as 
collectors of particular categories of usage information). 

As one example, the consumer's electronic appliance 
might be a personal computer, and rights holders 164 who 
distribute computer software may be interested in knowing 
what software programs consumer 95 is using in addition to 
the ones they themselves are distributing. Consumer 95, on 
the other hand, may not want to reveal this detailed infor- 
mation about all of the software programs that are present on 
his or her personal computer. 

As another example, digital broadcast rights holders 164 
may want to know about every broadcasted program that 
consumer 95 watches, whereas the consumer may not want 
anyone else to know the kinds of programs be or she is 
interested in. 

Usage clearinghouse 300 can effectively accommodate 
these countervailing interests by offering consumer 95 a 
financial incentive for more full disclosure but giving the 
consumer a choice. 

In this example, rights holder 164 distributes electronic 
content and associated controls to consumer 95. The controls 
may specify options for revealing usage information. The 
consumer may choose: 

to pay full price and keep all usage information other than 
that essential for insuring payment absolutely secret; 
to allow limited usage disclosure in return for a small 

discount on price; or 
to take advantage of a big discount in return for allowing 
full disclosure of usage information. 



10 



20 



25 



30 



35 



40 



50 



55 



60 



65 



Some secretive consumers may want the outside world to 
know as little as possible about their usage habits and will 
be willing to pay full price to protect their privacy. Other 
consumers may not care what the outside world knows about 
their usage habits, and will want to take advantage of large 
discounts based upon more full disclosure. Any number of 
such option levels may be provided, allowing the consumer 
to, for example, select precisely what kinds of information 
are revealed and which ones are kept secret. Because usage 
data is being collected within a secure protected processing 
environment 154 that is part of the consumer's electronic 
appliance 100, the consumer can be confident that the usage 
data will be securely handled and that unauthorized disclo- 
sure will not occur without his or her consent. 

Based, for example, on one or more control sets 188 
provided to the consumers ' protected processing environ- 
ment 154 and/or the consumer's selection made possible 
through such control sets, the consumer's protected process- 
ing environment 154 could reveal no (or minimal) usage 
information, limited usage information or full usage 
information, to usage clearinghouse 300. Usage clearing- 
house 300 can then freely analyze the limited and full usage 
information it collects, providing reports and analysis to 
rights holders 164 and to other third parties such as market 
researchers, brokers, advertisers, auditors, scientists and 
others. 

Rights and Permissions Clearinghouse 

FIG. 40 shows an example of a rights and permissions 
clearinghouse Commerce Utility System 400. Rights and 
Permissions clearinghouse services may perform any com- 
bination of the following overall functions: 

Registering digital objects and associated permissions, 
prices and/or other permitted and/or required opera- 
tions supporting the execution of consequences for 
performing and/or failing to perform such operations; 
Providing pre-approved permissions on demand in accor- 
dance with specified circumstances and/or other 
requirements such as class(s) of permission requester, 
fulfillment, or ability to fulfill, payment requirements, 
etc.; 

Securely and efficiently performing electronic copyright 
registration with the appropriate agency for one or 
more countries and/or other jurisdictional units; and 

Reporting functions. 

In more detail, rights and permissions support services in 
accordance with these inventions that may include, for 
example, some or all of the following functions and features: 

Identifying, distributing and verifying specific property 
rights and/or other business rules and controls along a 
digital electronic value chain. 

Providing object registry services and rights, prices and/or 
other control information for registered objects. 

Assigning to each digital object at least one identifying 
number and/or name in accordance with its own num- 
bering and/or naming scheme and/or in accordance 
with one or more numbering and/or naming schemes 
defined by one or more other organizations, associa- 
tions (e.g., standards consortiums), companies, and/or 
agencies (e.g., governmental regulatory bodies). 

Receiving authority from secure chain of handling and 
control embodied in electronic control sets. 

Securely providing permissions (e.g., rules and controls 
based descriptions of permitted operations and associ- 
ated consequences such as prices) for digital properties 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



69 



70 



10 



15 



20 



25 



30 



that have been registered and supporting automated 
association of such registered properties with rules and 
controls sets (e.g., updating of rules and controls, 
employing preset templates based upon classes of 
properties, etc.), that may be provided, for example, at 
least in part remotely and securely downloaded to the 
registering site during, or as a result of, such registra- 
tion. 

Allowing rights holders in digital content to determine 
and flexibly define and securely provide to one or more 
rights and permissions clearinghouse ways in which 
they want their intellectual property products (for 
example, VDE protected digital properties) to be used 
and not used, and any consequences of such use and/or 
misuse. 

Providing VDE supported capabilities to distribute and 
manage, rights and business rules (including pre- 
approved and other permissions) along an ad hoc 
electronic value chain, where such rights and business 
rules are persistently supported. 

Providing digital object permissions on demand to people 
authorized to use a digital object. 

Can provide different terms based on different permis- 
sions securely associated with one or more combina- 
tions of classes of users (e.g., different age groups, 
jurisdictions, business capabilities, consumers, 
creators, providers, partners, government, non-profit 
organizations, educational organizations, organization 
membership, etc.). 

Providing rights holders with assurances that the terms 
they set are being adhered to by a potentially diverse 
and distributed value chain participant base. 

Can provide controls that do not include all possible 
permissions and/or distribute further, required and/or 35 
desired permissions upon request on an ad hoc and/or 
pre-planned basis according to the requester's rights 
(class and/or individual), for example, allowing rights 
holders to elect to distribute only the most frequently 
used permissions associated with a particular digital 
property, and allowing appropriate parties to obtain 
new permissions in accordance with the rights holder's 
model. 

Refreshing expired permissions upon request and/or upon 
an automated recognition of the expiration of such 
rights through the use of clearinghouse database 
mechanisms and the automated provisioning and/or 
messaging to provide such permissions and/or notify, in 
the preferred embodiment, a VDE value chain partici- 
pant of the need to acquire such permissions (notify 
such user, for example, before the user is actively 
attempting to use associated information and/or elec- 
tronic control processes and thereby avoiding user 
frustration and inefficiency). 

Using secure containers such as those described in G inter, 
et al., in any step, part, or process of providing secure 
rights clearing services. 

Creating, storing, distributions, and receiving rights and 
permissions "templates" allowing rights holders to effi- 
ciently and adequately specify rights, conditions and 
consequences, (e.g., compensation) to be associated 
with operations related to the use of their digital 
properties (and/or the use of VDE process controlled 
electronic events). 

Templates can directly correspond to digital control sets 
associated with properties, content users, user classes, 



40 



45 



50 



55 



60 



65 



and/or other digital information and/or physical or 

virtual sites and/or process control for event and event 

consequence governance. 
Templates can be self-executing. 
Templates can apply to multiple objects/instances. 
Templates can be delivered independently of any digital 

objects they may be associated with. 
Templates are extensible to anticipate new operations and 

scenarios, including, but not limited to new payment 

methods, pricing models and pricing levels, and new 

permissions. 

Templates can flexibly recognize all kinds of digital rights 
including, for example, distribution and transmission 
and/or retransmission rights. 

Templates can flexibly recognize individual identity and/ 
or class identity rights. 

Different templates can apply to different content and/or 
process control arrangement property types. 

Plural templates can apply to the same property and/or 
process control arrangement. 

Rights and permissions clearinghouses) may maintain 
superset templates, permitting value chain participants 
and/or hierarchically sub-clearinghouses to modify one 
or more of such superset templates to create templates 
employing a subset and/or extended set of said one or 
more superset templates. 

Templates can be completed in a number of different ways 
using, for example, a graphical user interface and/or a 
rights management language. 

Template "applications" can be created and/or modified 
through the use of topographical, schematic, directly 
editable graphical representation of value chain rules 
and controls, where such rules and controls and value 
chain relationships are represented through the display 
of, for example, mixed iconic, positional, flow diagram, 
and textual information, and wherein rules and controls 
are implemented, for example, through the use of a 
rights management language, and wherein, for 
example, elements or higher level representation of 
such elements of the rights language may directly 
correspond to graphical representation components. 

Multiple value chain participants can contribute to and/or 
modify templates and/or contribute and/or modify dif- 
ferent templates applying to the same digital informa- 
tion. 

Users can select between differing templates applying to 
the same digital information, including, for example, 
digital information describing and/or governing control 
processes (e.g., event management information) man- 
aged through, for example, secure VDE chain of han- 
dling and control. 

Distributing rights clearing functions across a network or 
other system (for example, every consumer and/or 
other value chain participant node is potentially a 
distributed rights clearing service at least in part initi- 
ating its own, secure rights clearing, and wherein said 
participant node may communicate rights information 
directly to one or more other participant, interoperable 
clearing nodes, in the preferred embodiment, all activi- 
ties employ VDE techniques as appropriate and as 
described in the Ginter, et al. patent specification). 

Granting authority and/or providing services to, or in 
conjunction with, one or more distributed rights sub- 
clearinghouses whose operations may be located logj- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

71 72 

cally and/or physically elsewhere, such as within a Permission creating, updating or changing 408, 

company or government agency and/or within one or Permission distribution 410, 

more jurisdictions and/or serving subsets of the overall Database management 412, 

business focus area of a senior rights clearinghouse Template definitions and/or management 414, 

distributing and/or otherwise authorizing rights clear- 5 Negotiating permissions 416, 

ing functions across a system or network, for example, Reporting 417 

where every consumer and/or certain or all other value Replication 418 

chain participant nodes can potentially support a dis- Registration 419 and 

tributed usage clearing service initiating its own, secure K n 42o' 

rights clearing transactions and function in the context 10 ^^and permissions clearinghouse 400's primary 
of the overall clearinghouse . network, including, clear- ^ of g ^ perfora f ed by database maD - 
mghouse integration with one or more other parUci- m 4U }q ^ mmCdtm9 ri ghts and permissions 
pants mteroperable nodes, and as elsewhere in this list, clearinghouse 400 may receive control sets 188 and corre- 
all activities employing, for example, VDE techniques 15 sponding obj^t identifications 422 within the same or 
as appropriate. different electronic containers 152, and then "register" this 
One or more rights may be automatically provided to a information in a database 412 for later reference. Rights and 
participant based at least in part upon some aspect of permissions "clearinghouse 400 may assist rights holders in 
content and/or process control usage, and such pro- defining control sets 188 specifying rights and permissions 
vided one or more rights may be supplied, for example, 20 relating to the rights holder's electronic properties by pro- 
as a promotional component providing coupons in viding a template function 414. Registration process 419 and 
compensation for certain usage (e.g., purchasing) pro- database 412 may register control sets 188 in addition to 
file which may be directly ascertained from usage objects or properties 166. 

information or may be derived from a weighted for- Rights and permissions clearinghouse 400 database func- 
mula involving a variety of variables. 25 tion 412 and distribution function 410 may be used to 
May be organized hierarchically, peer-to-peer, or in a distribute permissions on demand in response to requests 
combined mode where responsibility for rights clearing and may also be responsible for the task of distributing 
may be distributed in differing fashions for differing (™ distribution function 410) all permissions relating to a 
commerce models and/or activities and/or value chains particular property. Since permissions and/or prices may 
and where certain one or more parties may be, for ™ expire or change, rights and permissions clearinghouse 400 
example, hierarchically more senior to other parties in can also be responsible for updating control sets 188 speci- 
one or more instances and hierarchically a peer or less tying previously issued permissions and/or prices and dis- 
senior in one or more other instances, that is the tributing those updated control sets, 
relationship among participants is programmable and Rig^s and permissions clearinghouse 400 may also pro- 
may be set (and later modified) to represent one or more 35 vide a reporting function 417, issuing reports 406 pertaining 
desired rights clearing arrangements for given com- to the permissions and/or prices it has issued or distributed, 
merce activities, value chains, or models. for example. In this example, the operation of rights and 
FIG. 40 shows an example rights and permissions clear- permissions clearinghouse 400 provides audit opportunities, 
inghouse 400 from a functional viewpoint. In this example, a channel through which to attach usage information, 
rights and permissions clearinghouse 400 may perform some 40 Such audit operations (which may, for example, be provided 
or all of the following four main functions: *>y integrating rights and permissions clearinghouse 400 
Object registration. Rights and permissions clearinghouse ^ clearinghouse 300 functions) could be 

400 refers digital properties and their assorted used t0 cr f e *X ' re P ortS aboUt which P era ^ 10QS 
• • , TL-r were provided and which permissions were exercised — very 
permissions and prices. , f\ • r r r , A , j < 
r t 45 valuable information for market research and business con- 
Permissions on demand. In response to queries, rights and sequences ^ we u as providing additional accountability to 
permissions clearinghouse 400 provides permissions rightsholders 

188 together with associated prices in secure electronic rights and permissions clearinghouse 400 audit func- 

containers 152. Hie permissions controls 188 may be uon can ^ beneficial to preserve confidentiality, 

provided independently of the content. SQ Fof example> a private rights and permissions clearinghouse 

Negotiated permissions. In response to queries and 400 may fc e extended to provide payment aggregation in 

requests, the rights and permissions clearinghouse 400 order to hide confidential individual transaction level infor- 

negotiates permissions and/or prices on behalf of right- mation from the financial clearinghouse 200. In another 

sholders who have delegated this responsibility to the example, a rights and permissions clearinghouse 4C0 can 

rights and permissions clearinghouse. The rights and 55 issue reports 426 indicating, for example, the number of 

permissions clearinghouse 400 may also be an inter- registered objects in database 412 at the beginning of a 

mediary in the negotiations between rightsholders and reporting period, the number of new objects registered, and 

rights users. Rightsholders and rights users may nego- some aggregate statistics concerning perhaps the numbers of 

tiate among themselves and report the results of those kinds of permissions associated with these objects and/or 

negotiations to the rights and permissions clearing- 60 average or median prices for certain kinds of objects, 

house. Rights and permissions clearinghouse 400 can also 

Reporting. Rights and permissions clearinghouse 400 can respond to queries 402 with responses 428. A request, for 

provide reports to augment reporting performed by example, may consist of a request for permissions — which 

financial clearinghouses 200 and/or usage clearing- may be automatically granted; or the request may need to be 

houses 300. 65 qualified by the rights and permission clearinghouse 400 to 

In this example, rights and permissions clearinghouse 400 determine whether the requester is qualified to receive the 

may provide some or all of the following functions: permissions. Qualifications might be established by presen- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 
73 74 

talion of one or more valid certificates, which might be rights and permissions clearinghouse 400. The publisher 168 
simply checked, or stored in the database 412 for transmis- may also include additional "controls over controls,'* or 
sion to providers along with other information about per- "permissions for permissions" "D" (e.g., distribution con- 
missions granted by the clearinghouse. In the preferred trols described in connection with FIGS. 79-85 of theGinter 
embodiment, other qualifications might be based on a shared 5 ct al. patent disclosure) along with controls 188ABC. These 
secret (e.g. , one or more tags from a control set 188 held by additional "D" controls may specify the circumstances under 
the requester) known by the requester's PPE 54 and the whicn rights A, B and/or C may be granted (qualification of 
rights and permissions clearinghouse 400. This shared secret cre dentials, frequency of reissue, number of controls for a 
might be used in combination with a certificate, or in cases - en user etc \ 

when qualification requirements are lower or have already 1Q Consun ; er 95 (or other id such tt an 

been established (e.g., to have received the shared secret in — . t ~- , nt . „„w;ow\ m **, 

the first place), the shared secret alone might be adequate to WW"* ^kager author, or another publisher) may 

receive/for example, a permission that replaces or updates * «W of of thes < vanou * rc » sto ? d 

an expired permission Wlth "ghts and permissions cleannghouse 400. For example, 

Rights and permissions clearinghouse 400 also includes a * the consumer 95 is a journal who uses the work 166 in 

permission negotiation engine 416 that may be used to 15 accordance with control set 188AB and decides she wants to 

negotiate permissions 188 that haven't been pre-approved excerpt the work for certain purposes, she may request the 

by the rights holder. For example, suppose that a consumer control super set 188ABC that publisher 168 previously 

95 wants to exercise a right that is not within database 412. registered with rights and permissions clearinghouse 400. As 

The consumer 95 could request the right. In response, rights another example, a consumer 95 in Germany may have 

and permissions clearinghouse 400 could determine whether 20 received the control set 188 intended for U.S. distribution, 

the rights holder has authorized it to negotiate for the right and may need to request a different control set accommo- 

on behalf of the rights holder. If the rights holder has not dating the European legal and monetary environment, 

given the rights and permissions clearinghouse 400 the Additionally, a rightsholder may modify previously distrib- 

power to negotiate, the clearinghouse could contact the uted controls at a later date to add new rights, provide a 

rights bolder and request authorization and/or the permission 25 "sale," take away rights, etc. — with rights and permissions 

itself. If the rights holder has granted the rights and perm is- clearinghouse 400 being responsible for distributing these 

sion clearinghouse 400 negotiating authority, the clearing- new control sets either on demand, 
house could enter into an electronic negotiation (see Ginter FIG. 42A shows another example in which consumer 95 

et al. FIGS. 75A-76B) between the consumer's control set may register with the rights and permissions clearinghouse 

and the rights holder's control set The resulting negotiated 30 400 a control set 188X that pertains to an object such as a 

control set could be sent to the consumer, allowing the file or software program already received by consumer 95. 

consumer to exercise the right. This new control set 188X requests the rights and permis- 

FIG. 41 shows an example architecture for rights and sions clearinghouse 400 to send to consumer 95 a new 

permissions clearinghouse 400. In this example, rights and control set 188Y for the named object whenever the controls 

permissions clearinghouse 400 includes a secure communi- 35 registered for that object at the rights and permissions 

cations facility 430, a database and transaction processor clearinghouse 400 are modified. The rights and permissions 

432, an autbenticator 434, an authorization checker 436, and clearinghouse 400 may automatically send updated control 

a registration processor 438. As discussed above, the rights set 188Y to all registered users of a particular digital 

and permissions clearinghouse 400 architecture may be property. 

based on the rights operating system architecture shown in 40 In a different example, publisher 168 might distribute 

FIGS. 12 and 13 of the Ginter et al. patent disclosure and work 166 with a very limited control set 188X allowing the 

described in associated text. consumer 95 to view only the abstract and specifying rights 

Database and transaction processor 432 performs most of and permissions clearinghouse 400 as a contact point for 
the functions shown in FIG. 40. Registration processor 438 obtaining permission to view or otherwise use the content as 
may perform the registration function 419. Secure commu- 45 a whole. Consumer 95 could then contact rights and per- 
meations facility 430 communicates securely over electronic missions clearinghouse 400 to obtain a more expansive 
network 150 with consumers 95, authors 164, publishers control set 188Y allowing additional levels of usage. This 
168, aggregators 170, repackages 174, and other value provides a high degree of accountability and expanding 
chain participants via secure containers 152. Authenticator auditing capabilities, since it requires consumers 95 to 
434 and authorization checker 436 perform authentication 50 contact rights and permissions clearinghouse 400 in order to 
functions as the Ginter et al. patent disclosure describes in actually use a previously distributed property. Similarly, 
connection with secure electronic appliances and protected rights and permissions clearinghouse 400 may provide 
processing environments. updated control sets 188Y to replace expired ones. This 

FIG. 42 shows an example rights and permissions clear- mechanism could be used, for example, to provide a variable 
ing process. In this example, author 164 sends a work 166 55 discount on a particular item over time (for example, to 
with a control set 188A including controls A to a publisher allow a movie distributor to discount its first run film six 
168. Publisher 168 — in accordance with a secure chain of months after its initial release date without having to decide 
handling and control — adds controls B to the control set to at time of initial release how much the discount will be), 
form a new control set 188AB. Publisher 168 publishes the FIG. 43 shows a further example rights and permissions 
work 166 with control set 188 AB to consumers 95. Pub- 60 clearing operation performed by rights and permissions 
lisher 168 may also specify a less often used, but sometimes clearinghouse 400. In this FIG. 43 example, each of authors 
necessary additional set of permissions C within a more 164, publishers 168, aggregators 170, and optionally other 
comprehensive control set 188ABC (for example, controls C additional value chain participants, register their own con- 
may allow journalists to excerpt certain parts of work 166 trol sets 188 A, 188B, 188C, respectively, with a rights and 
for specific purposes). 65 permissions clearinghouse 400 — potentially also registering 

Publisher 168 may register control set 188ABC (and, if additional controls controlling distribution of their provider 

desired, also control set 188AB and control set 188A) with controls. Rights and permissions clearinghouse 400 may 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

75 76 

then distribute a new, combined control set 188ABC con- natural or computer-based language) — but a large percent- 
sis tent with each of the individual control sets 188 A, 188B, age of users will prefer the easy-to-use graphics interface 
188C — relieving any of the value chain participants from that templates 450 may provide — and won't mind giving up 
having to formulate any control sets other than the one they the additional flexibility and associated complexities when 
are particularly concerned about. In this example, rights and 5 undertaking the day-to-day business of defining permissions 
permissions clearinghouse 400 may also have an interface to for a large number of different pieces of content, 
other organizations (e.g., with a government agency 440, Example rights template 450 shown in FIG. 45A (which 
such as a Copyright Office — or with another type of orga- ma y be appropriate for text and/or graphics providers for 
nization such as professional associations). Rights and per- example) defines a number of different types of usage/ 
missions clearinghouse 400 may automatically register 10 actions relevant to a particular digital property, such as, for 
copyright in works and other objects registered with the example, "view title," 'View abstract," "modify title," 
rights and permissions clearinghouse 400— reducing or "redistribute," "backup," "view content," and "print con- 
eliminating such burdens from having to be performed by tc nt ." Rights template 450 may further provide a "menu" or 
the rights holders themselves. The copyright registration ^ 0 f options corresponding to each type of usage. These 
interaction between the rights and permissions clearing- 15 various options allow the rights holder to define rights that 
house 400 and the government agency 440 may, for others may exercise in connection with the property. For 
example, make use of VDE and secure containers 152. example, the rights may comprise: 

FIGS. 44A-^4E show an additional rights and permis- Unconditional permission, 

sions clearing process that may be performed using rights n . . .... i 

. m * . . A *r j .« ■ & ° M Permission conditional on payment, 

and permissions clearinghouse 400. In this example, a 20 r J 

publisher 168 may provide a property 166 and associated Permission based on content, 

control set 18&J to a consumer 93 (see FIG. 44A). The Unconditional prohibition, and 

consumer may use her electronic appliance ICO and asso- Prohibitions and/or permissions based on other factors, 

dated protected processing environment 154 to attempt to Rights holders may "fill in" or select between these 

access the property 166 using control set 188a, but may 25 various options to define a "rights profile" corresponding to 

determine that she requires an additional control set 188Z> in their particular property. In this example, rights template 450 

order to access the property the way she wishes. The may further models and/or levels for rights to be exercised 

consumer's electronic appliance 100 may generate a request conditional on payment. Such pricing models and levels 

402 to a rights and permissions clearinghouse 400 (see FIG. may flexibly define a variety of different sorts of business 

44B). In response, the rights and permissions clearinghouse 30 pricing, such as, for example, one time charges, pay per 

400 may distribute the requested control 188/> containing the view, declining cost, etc. See FIG. 45B for an example of 

permissions and pricing information requested by the con- how pricing models and levels might be specified using a 

sumer 95 (see FIG. 44C). The consumer may then use the graphical interface. 

property 166 in accordance with the control set 188 and Rights template 450 in this example can be self executing 

generate usage/audit trail information 302 based on the 35 and/or can be "translated" or compiled automatically into 

consumer's usage (see FIG. 44D). The consumer's elec- one or more control sets 188 providing the necessary con- 

tronic appliance 100 may report mis usage information to trols for implementing the rights holder's selections. FIG. 

usage clearinghouse 300, and may delete and/or release as 45B, for example, has a "view title" control 188a that allows 

"pending" the internally stored usage information once it unconditional viewing of the title as specified by the FIG. 

receives a release signal from the appropriate clearinghouse 40 45A rights template 450. Similarly, the FIG. 45B example 

(see FIG. 44E). controls 188 includes further control set elements 188(2) . . 

. 188(N) corresponding to other rights and permissions 188 

Rights Templates me rights holdef has defined 5ased up0D ^ mG ^ rights 

FIGS. 45 A and 45B show example rights templates 450, template 450. 

and FIG. 45C shows an example corresponding control set 45 In this example, rights template 450 can be extensible. For 

188. Rights template 450 may be analogous in some respects example, as new technology enables and/or creates new 

to "fill in the blank" forms. Rights holders can use rights operations, rights template 450 can be extended to accom- 

templates 450 to efficiently and effectively define the rights modate the new operations while still being "upward com- 

associated with a particular digital property. Such templates patible" with preexisting rights templates. Different rights 

450 are useful in framing the general purpose capabilities of 50 templates 450 can be used for different types of properties, 

the virtual distribution environment technology described in different value chain participants, etc. — and at the same 

the Ginter et al. patent disclosure in terms that are sensible time, certain rights templates might apply to multiple objects 

for a particular content industry, provider, content type or the or properties, multiple value chain participants, etc. Some 

like. This allows a user such as a provider to be presented rights templates 450 can be supersets of other rights tem- 

with a focused menu of resources that be applicable or useful 55 plates. For example, an overall rights permissions template 

for a particular purpose. 450 could define all of the possible rights that might apply 

For example, templates 450 may make some assumptions to a particular property or class of properties, and sub- 
about the character of the content or other information being templates could be further defined to define rights associated 
controlled, how it is partitioned or otherwise organized with different consumers, classes of consumers, or rights 
and/or the attributes those organizational entities have. Tem- 60 holders. Thus, for example, an author might use a subtem- 
plates 450 simplify the process of defining permissions, and plate that is different from the one used by a distributor, 
reduce or eliminate the need for specialized knowledge and Templates can also be recursive, i.e., they can be used to 
substantial investments of time to exploit the underlying refer to other templates (and similarly, the control sets they 
capabilities of the virtual distribution environment. It may define can refer to other control sets), 
be possible in this example for a user to avoid using 65 Rights and permissions clearinghouse 400 might partially 
templates 450 altogether and instead define permissions 188 fill in rights template 450 — or an automatic process could be 
in terms of a rights management language (for example, a used (based, for example, on rights holder's pre-existing 



01/11/2004, EAST Version: 1.4.1 



US 6,658, 

77 

instructions) for completing and/or duplicating rights tem- 
plates. Rights holders could use a graphical user interface to 
complete rights template 450 (e.g., by displaying a list of 
options on a computer screen and pointing and clicking with 
a mouse pointing device to fill in the options desired). Id 5 
another example, a rights holder could define his or her 
preferences using a rights management language that a 
computer could automatically compile or otherwise process 
to fill in rights template 450 and/or construct associated 
control set(s) 188. io 

FIG. 46 shows an example rights and permissions clear- 
ing process using rights template 450. In this example, rights 
and permissions clearinghouse 400 and/or individual rights 
holders define rights template 450 (FIG. 46, block 452(1)). 
The rights are then filled in the rights template 450 to define 15 
permissions granted and withheld, and associated pricing 
models and levels (block 452(2)). The rights holder associ- 
ates the permissions defined by the rights template with the 
object (e.g., by creating one or more control sets 188 that 
reference and/or apply to the property being controlled) 20 
(block 452(3)). The rights holder may then convey the 
permissions (control set 188) with or separately from the 
object (block 452(4)). Rights holders may send these control 
sets 188 directly to consumers 95 (block 452(5)), and/or they 
may sent them to a rights and permissions clearinghouse 400 25 
for registration and storage in a database (block 452(6)). 
Rights and permissions clearinghouse 400 may provide such 
preauthorized permissions to consumers (block 452(7)) on 
demand upon receiving consumer requests (block 452(8)). 

As described above, providers may control distribution of 30 
such pre -authorized permissions by > rights and permission 
clearinghouse 400 by the mechanism of providing 
additional, "distribution controls" directing and/or control- 
ling the distribution process. 

35 

Certifying Authority 

FIG. 47 shows an example certifying authority Commerce 
tility System 500. Certifying authorities and services may, 
in general, c reate digital documents that "certify" wa mnL 
and/or attest to some fact . Facts include, for example, 40 
idemmcation and/or membership in a particular class, e.g., 
s uch a s an organization; a ge group, possession j )Lacertain 
credentiaLtype; beingfsubject to one or more certain juris- 
dictions; andVor having a certified one or more rights to use 
content and/or processes for a fixed time period or termi- 45 
nating at a specific time. 

In more detail, a certifying authority in accordance with 
these inventions may provide any combination of the fol- 
lowing advantageous features and functions, for example in 5Q 
the form of certificates: 

Electronically certifying information used with or 
required by rules and/or controls such as 
authenticating, identity, class membership and/or other 
attributes of identity and/or context, and including 55 
automatically certifying said information based upon 
the source (for example, one or more certified provider 
identities) and/or class of said information. 
Providing t rusted verifica tion that a consumer or other 
value chain participant is who she says she is and/or is go 
a member of one or more particular groups, classes 
an d/or organiza tions. 
Providing trusted verification that a group of value chain 
participants are collectively who they say they are, 
wherein a plurality of certificates from different parties 65 
are tested as an aggregate and where such aggregate of 
certain certificates is required under certain circum- 



58 Bl 

78 

stances to use content and/or execute one or more 
control processes. 
Automatically producing a certificate, representing 
authentication of a value chain or value chain portion, 
as a result of the confluence of a plurality of certain 
certificates. 

Anticipating, through the use of rules and controls, allow- 
able collections of certificates from plural parties that 
can form a certificate that virtually represents a specific 
group of certified parties and in the presence of certain 
certificates identifying two or more anticipated parties 
and/or parties who have met a certain criterion — e.g., 
sufficient transaction revenue, sufficient credit 
worthiness, etc. — a new certificate may be automati- 
cally generated and act as a composite certificate cer- 
tifying the plural parties collective and coordinated 
presence, and wherein said certificate can be associated 
with certain rules and controls allowing certain elec- 
tronic activities such as usage of content and/or control 
processes in, for example, multiparty EDI, content 
distribution, trading system, and/or financial transac- 
tion systems. 

Generating one or more certificates at least in part as a 
result of rules and controls governance of certificate 
creation, wherein such generated one or more certifi- 
cates are produced, for example, as a result of secure 
rules and controls based one or more instructions after 
the satisfaction of certain required criteria such as 
certain specific activities by each of plural parties — e.g. 
provision of one or more certificates and/or authoriza- 
tions and/or usage activity and/or credit and/or payment 
activity and/or reporting activity and/or VDE supported 
electronic agreement activity (including, for example, 
electronic negotiation activity). 

Certifying other support services (e.g., financial 
clearinghouses, usage clearinghouses, rights and per- 
missions clearinghouses, transaction authorities, and 
other certifying authorities, etc.) 

Certifying based on another certificate (e.g., identity) and 
an automatic secure database lookup which may be 
performed locally, across a distributed database' 
arrangement, or remotely. 

Providing non-automatic (i.e., at least in part human 
provided or assisted) services issuing more fundamen- 
tal certificates (e.g., identity certificates) based on 
physical evidence in addition to automatic services for 
issuing dependent certificates. 

May use public key cry ptography, private key, and/ or 
secure VDE virtual networks to support, _e.g _ create , 
digit al certificates. 

Canissue certificates that support the context for rights 
usage in an automatic, trusted, distributed, peer-to-peer 
secure electronic environment that supports chain of 
handling and control. 

As with other Distributed Commerce Utility services, 
supporting an unlimited variety of different business 
models and scenarios through general purpose, 
reusable, programmable, distributed, modular architec- 
ture. 

Can issue certificates that support control sets having 
elements whose use is dependent on presence and/or 
absence of specific, and/or class and/or non-specific, 
one or more digital certificates attesting to certain facts 
and where differing requirements may coexist regard- 
ing the presence or absence of certificates related to 
differing issues. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

79 80 

Can issue one or more certificates that cooperate with May be organized hierarchically, peer-to-peer, or in a 
conditional electronic control sets to grant certain rights combined mode where responsibility for certificate 
only to certain consumers and/or other value chain authority activities may be distributed in differing fash- 
participants, including, for example, consumers. ions for differing commerce models and/or activities. 

Issuing replacements for expired certificates and support- 5 and/or value chains and where certain one or more 

ing sophisticated time and/or usage and/or other event parties may be, for example, hierarchically more senior 

driven expiration (including termination) of to other parties in one or more instances and hierarchi- 

certificates— for example, where criteria for such expi- a pe er or \ ess xn i ol ^ one or more omer 

ration may variety based upon specific certificates, instances, that is the relationship among participants is 

classes of certificates, specific and/or classes of users, 10 programmable and may be set (and later modified) to 

user nodes, etc. represent one or more desired specific certificate 

Maintaining and distributing, including selectively dis- authority arrangements for given commerce activities, 

tributing to distributed nodes revocation list y ^ 0f mod< ^ 

^formation based, for example upon node distributed Ufl nQ 4? shows aQ e le certify^ authority 500 from 

profiles and/or rules and controls ^ ^ ^ mt In this examplc , ccrtifying autbority 

Distributing revocation list information among m ^ { callcG certificates 504 that 

interoperable peer-to-peer networked Debuted „ , ^ such as identity or class membership. 

Commerce Utility nodes on a time. based, other event ' . 4 ' , .. , _ J . . . tU . B * 

based manner, wherein information is selectively dis- For exam P le a trusted third party certifying authority 5(H) 

tributed to certain one or more nodes in accordance ca ° P"™** \ ^ e ^ »™"™<* ?»« a consumer is 

with agreed to revocation information requirements 20 wh ° she c ums t0 * e °. r has « rt ™ <*a™ctensUcs, 

and/or where revocation information is non-selectively »«nbutes, class memberships, or the like. For example, 

. • MA _ „ some attributes may signify membership m a particular class 

distributed to certain one or more nodes. . « , * ' . r v . r . , c 

. . 4| _ . . . . , . „. , (e.g., all employees of a certain company), those born before 

Receiving autoonty from secure chain of handling and \ * rtam da P ^ faavin a ce^in physical disability, 

control embodied in electronic control sets. 2$ members rf ^ f administration or student body of a 

Distributing certificate authority functions across a net- ^ Qr rctifcd mcmbcrs of ^ forces, 

work or other system (for example, every consumer Iq this c ^ ^.tificates 504 issued by certify- 

node is potenually a certificate authority with respect to ■ authority 500 are used as a conveyor of the context of 

certain kinds of certificates; parents may be empowered rights afld lransaction authorizations. As described in 

to issue certificates for their chddren). 3Q ^ Ginter et d patent afcdosure, certificates 504 are 

Orgamangcertifica^ particularly powerful in the virtual distribution environment 

aUowinFautomatic verification of some certificate because they provide contexts for rights usage. For example, 

authorities (that is, their issued certificates and associ- class-based certificate use and automated, distributed gov- 

ated^aeterminations regarding trustedness, ernance of commerce rights may fundamentally enhance the 

appropriateness, etc.) through reliance on certificates 35 e ffi c i ency Q f trusted networks. Suppose, for example, that a 

issued by other certificate authorities at least in part for contcnt publisher wants t0 charge commercial prices for a 

such purpose. scientific journal subscription to all those but in higher 

Granting authority and/or providing services to, or in education and is willing to give college and university 

conjunction with, one or more distributed certificate students and professors a 20% discount. Digital certificates 

authority sub -clearinghouses whose operations may be 40 504 issued by a trusted certifying authority 500 can be used 

located logically and/or physically elsewhere, such as to automatically provide assurances — within the context of 

within a company or government agency and/or within distributed electronic network — that only people who are 

one or more jurisdictions and/or serving subsets of the truly entitled to the discount will be able to exercise it (in this 

overall business focus area of a senior certificate example, that only those certified as affiliated with an 

authority clearinghouse distributing and/or otherwise 45 institution of higher education). 

authorizing rights clearing functions across a system or i D the FIG. 47 example, certifying authority 500 may 

network perform the following overall functions: 

Every consumer and/or certain or all other value chain Fact co Uection and checking 522, 

participant nodes can potentially support a distributed Certification generation 524, 

certificate authority clearing service initiating its own, 50 

secure certificates and function in the context of the Maintaining revocation lists 526, 

overall clearinghouse network, including, clearing- Certificate and revocation list distribution 528, 

house interoperation with one or more other partici- Authentication 530, 

pants interoperable nodes, and as elsewhere in this list, Certificate renewal 532 

all activities employing VDE techniques as appropri- 55 Authorization 534 

ate. . * 

Providing liability acceptance control (i.e., for insuring Replication 536, 

digital certificates based on the amount of Lability Propagation 538, and 

accepted by the issuers)), and may include securely Archive 554. 

maintaining information regarding such liability accep- 60 Certifying authority 500 may gather evidence 502 as a 

tance and providing notices to recipients of such cer- basis for which to issue digital certificates 504. In this 

tificates regarding the liability protection afforded by example, evidence 502 may include other digital certificates 

such certificates, and may further include recipients of 504* (e.g., so that one certificate can build on another). The 

such insured certificates accepting, for example, fact collection and checking function 522 may accept this 

through explicit VDE managed electronic acceptance 65 evidence 502 as well as additional trustedness data 540 (e.g., 

or through implied acceptance by continuing, any information concerning compromised or previously misused 

liability above the insured amounts. certificates) Certificate generation function 524 may gener- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

81 32 

ate new digital certificates 504 based upon this fact collec- One certificate authority 500 may be "proxied" to issue 

tion and checking process 322. Distribution function 528 certificates on behalf of another — such as for example in a 

may then distribute the new digital certificates 504, and issue chain of handling and control defined by one or more 

bills 542 to compensate a certifying authority for undertak- electronic control sets 188. Distributing the certifying 

ing the effort and liability that may be associated with 5 authority 500 across a number of different electronic appli- 

issuing the certificate. ances has certain advantages in terms of efficiency for 

Certifying authority 500 may also maintain a revocation example. FIG. 50 shows one useful example of this distrib- 

list 542 based on trustedness data 540 indicating, for uted certificate issuance scenario. 

example, certificates that have been compromised or that FIG. 50 shows that a rigbtsholder 164 (and/or a rights and 

previously certified facts are no longer true (for example, to permissions clearinghouse 400) may request (e.g., by issu- 

Mr. Smith used to be a Stanford University professor but has ing electronic controls lSBa within a secure container 152a) 

since left the University's employ). The maintained revoca- a certifying authority 500 to issue digital certificates 504(1) 

tion list function 526 is important for providing a mecha- to accredited institutions of higher learning such as institu- 

nism to ensure that "bad" certificates cannot continue to be tion 1060. Control set 188a may establish the policies and 

used once they are known to be bad. Certificates 504 issued 15 procedures necessary to ascertain whether in fact a particular 

by certifying authority 500 can expire, and the certifying institution is duly accredited. Based on electronic controls 

authority can (for example, for a fee) renew a previously 188a and evidence 502 submitted by the institution 1060, the 

issued certificate by performing certificate renewal function certifying authority 500 may issue a digital certificate 504A 

532. The certifying authority 500 may maintain a record or attesting to the fact of accreditation, 

database of the certificates it has issued, and this database 20 In order to take advantage of certificate 504A, a student, 

can be distributed — which can benefit from replication func- faculty member and/or staff member of institution 1060 may 

tion 536 and propagation function 538 to accurately and need to provide a further certificate attesting to the fact that 

efficiently distribute the database across a number of differ- he or she is affiliated with institution 1060. Instead of having 

ent locations. certifying authority 500 issue a further certificate 504 to 

FIG. 48 shows an example architecture for certifying 25 each student, faculty member and staff member of institution 

authority 500. In this example, certifying authority 500 may 1060, it may be efficient and/or desirable for each institution 

include a secure communications facility 544, an 1060 holding a certificate 504A to issue dependent certifi- 

encryption/decryption processor 546, a billing system 548, a cates 504(2) to its own faculty, staff and students. For 

key generator 550, a query mechanism 552, and an elec- example, institution 1060 may maintain a current list of all 

tronic archive 554. In this Vrnple, secure communications 30 students, faculty and employees. Rather than requesting 

544 is used to communicai „ ith other electronic appliances certifying authority 500 to issue a separate certificate 504(1) 

100 and/or other Commerce Utility Systems 90. Electronic to each student, faculty member and employee of institution 

archive 554 stores keys, certificates 504 and other informa- 1060, the institution may undertake this responsibility itself, 

tion required to maintain the operation of certifying author- For example, institution 1060 may elect to operate its 

ity 500. Encryption/decryption processor 546 is used to 35 own, distributed certifying authority 5 00 A. In one example, 

create digital certificates 504 by using strong cryptographic certifying 210 authority 500 may issue electronic controls 

techniques. Billing system 548 issues bills 542. Query 1886 (subject to controls 188a issued by rights holder 164, 

mechanism 552 is used to query electronic archive 554. Key for example) that delegate, to the institution's certifying 

generator 550 is used to generate cryptographic keys the authority 500A, the authority and responsibility to issue 

certifying authority 500 needs for its own operation. 40 dependent certificates 504(2) within certain limits (e.g., 

FIG. 49 shows an example certifying authority process. In attesting to a limited universe of facts such as for example 

this example, a publisher may send an electronic secure "This person is officially associated with the institution 

container 152 to a consumer 95. To use certain permissions 1060'*). Such dependent certificates 504(2) could, for 

188a in secure container 152, the consumer 95 may require example, be copies of certificate 504(1) with an addendum 

a certificate from certifying authority 500 that certifies as to 45 stating that a particular person is associated with the insti- 

a particular fact about the consumer (e.g., the consumer is a tution 1060 and stating a particular expiration date (e.g., the 

United States citizen, the consumer is a retired member of end of the current academic term). The institution's certi- 

the armed forces, the consumer is over 18 years of age, etc.). fying authority 500A may then issue such dependent cer- 

The consumer may generate a request 502 to certifying tificates 504(2) to each faculty member, student and staff 

authority 500 for issuance of an appropriate certificate. 50 member on its current roster. 

Certifying authority may check the evidence 502 the con- Recipients of certificates 504(2) may need a still further 

sumer 95 provides, or that some third party may provide, certificate 504(1) attesting to their identity. This is because 

and — once the certificate authority 500 is satisfied— issue certifying authority 500A issues certificates 504(2) attesting 

the consumer the required digital certificate 504. This digital to the fact that a certain named person is affiliated with 

certificate 504 may be used not only with the publisher's 55 institution 1060 — not to the fact that a particular recipient of 

control set 188a, but with control sets from other rights such a certificate is that person. The recipient may need to 

holders that require certification of the same fact and that obtain this further "identity" certificate 504(1) from a gov- 

havc agreed to trust certificate authority 500 as an issuer of ernmentally operated certifying authority 500 such as a state 

certificates. or federal government. 

Certifying authority 500 may communicate with con- 60 Rigbtsholder 164 (and/or a rights and permissions clear- 

sumer 95 using secure containers 152. It may generate and inghouse 400 not shown) may issue control sets 188c for 

provide a control set lSBb with certificate 504. This control digital properties 166 that grant discounts or that provide 

set 1886 may control some aspect of usage of the certificate other benefits to those who can provide a combination of 

504 (e.g., it may not be redistributed and/or modified) and/or valid digital certificates 504 attesting to their membership in 

to define a chain of handling and control for the issuance of 65 the class "accredited higher education institution." Each 

further dependent certificates (e.g., parents give authority to student, faculty member and staff member of the institution 

issue certificates about their offspring). 1060 who has received a certificate 504(2) may take advan- 



01/11/2004, EAST Version: 1.4.1 



US 6,6: 

S3 

tage of these discounts or other benefits. FIG. 50 A illustrates 
how such different digital certificates can be used to support 
certificate-conditional controls 188 — that is, control sets 
whose elements are dependent on the presence or absence of 
certificates 504 that attest to certain facts. 

In this FIG. 50A example, one or more control sets 188c 
include a number of discrete controls 188(1) . . . 188(N) 
applying to the same digital property 166 or group of 
properties, for example. Control 188(3) may provide addi- 
tional and/or different rights to all students, faculty and staff 
members of Stanford University. In the FIG. 50A example, 
multiple certificates can be used together to provide the 
requested certifications. For example, the certificates 504(1), 
504(2), 504A shown in the FIG. 50 example can be used 
together to allow a particular person to take advantage of a 
discount offered to students, faculty and staff members of 
accredited institutions of higher learning. For example: 

a certificate 504(1) may attest to the fact that a certain 
person John Alexander is who he says he is. 

another certificate 504A may attest to the fact that Stan- 
ford University is an accredited institute of higher 
learning, 

another certificate 504(2) may attest to the fact that John 
Alexander is a student at Stanford University for the 
current academic semester. 

Each of these various certificates 504 can be issued by 
different certifying authorities 500. For example, one certi- 
fying authority 500 (e.g., operated by a governmental entity) 
might issue a certificate 504(1) certifying the consumer's 
identity, while another certifying authority may issue cer- 
tificate 504(2) attesting as to student status, and a third 
certifying authority may issue the certificate attesting to the 
fact that Stanford is an accredited University (see FIG. 50). 

As an additional example, a control set element 188(1) 
shown in FIG. 50 A may provide a certain benefit for 
California residents. Its condition may be satisfied by the 
consumer presenting a digital certificate 504(3) certifying 
residency (e.g., in combination with the "identity" certificate 
504(1)). A still further permission 18C(N) shown in FIG. 
50A might be satisfied by presenting a certificate 504(5) 
indicating U.S. citizenship. Such certificates 504(3), 504(5) 
that warrant that a given person is subject to one or more 
jurisdictions (for example, a resident of, or doing business in 
a particular city, state, nation, or other political unit — and 
therefore, subject to that unit's sales, income, or other taxes, 
or subject to certain administrative fees) are particularly 
useful for interstate and/or international commerce transac- 
tions. For example, a certifying authority 500 might issue a 
certificate 504 to a financial clearinghouse 209 in the United 
Kingdom. This certificate 504 could be used in conjunction 
with control sets 188 distributed by rightsholders and/or a 
rights and permissions clearinghouse 400 specifying that 
only United Kingdom financial clearinghouses 200 are 
authorized to accept payment in pounds sterling. A customer 
wishing to pay in pounds sterling will only be able to 
complete the payment transaction if the financial clearing- 
house being used has the appropriate UK certificate. This 
UK clearinghouse might then pay appropriate UK taxes — 
relieving the provider from the burden of having to deter- 
mine which of his or her transactions were subject to UK tax 
payments and which were not. 

FIG. 50A also shows a further certificate 504(4) certifying 
that a certain person is married to a certain other person. To 
use certificate 504(4), it may also be necessary to present the 
first certificate 504(1) certifying identity. Such certificates 
attesting to relationship between individual people or 
between people and organizations are useful in allowing, for 



58,568 Bl 

84 

example, family members to use the certificates of other 
family members (e.g., a person can obtain a benefit based on 
his or her spouse's or parents' certified credential(s)). 
$#4 FIGS. 51-51D show example detailed formats of various 
5 digital certificates 504. The FIG. 51A digital certificate 
504(1) may certify that a person is who he says he is. This 
certificate 504(1) might include, for example: 
a field 560(1) stating the person's name, 
a field 560(2) specifying the person's date of birth, 
an expiration field 560(3) specifying when the digital 

certificate expires, 
a public key 560(4) corresponding to the person's public 
key, an ID code 560(5) (which in this example could be 
15 a hash of the public key field 560(4)), and 

a check sum field 560(6) providing an error checking 
ability. 

Di gital certificate 504(1) is encrypted in this example by 
the ce^^u3g.aumority-500_usi ng One-certifying jtyihority's 

20 p rivate key of a public kev-private key cryptosystem pair, 
su ch as RSA or El Gama l. The certifying authority SCO's 
corresponding public key can be made public (e.g., by 
publishing it in several publicly accessible sites on the World 
Wide Web or in another widely distributed context), or it 

25 could remain secret and never be exposed outside of pro- 
tected processing environments 154. In either case, success- 
ful decryption of the digital certificate 504(1) to reveal the 
original clear text information provides a high degree of 
assurance that the digital certificate was issued by certifying 

30 authority 500 (presuming that the certifying authority's 
private key has not been compromised). 

Expiration field 560(3) is useful because people who skip 
checks of revocation lists have at least some assurance that 
a certificate is good if it must be renewed periodically. 

35 Expiration date field 560(3) provides an additional safeguard 
by insuring that certificates do not last forever — allowing 
certifying authorities 500 to use different cryptographic key 
pairs for example to provide overall integrity and trustedness 
of the certification process. Changing the certifying author- 

40 ity 500's key pair reduces the incentives for an adversary to 
break a given key, because the amount of information 
protected by that key is limited, and the fraudulent use of a 
compromised key will only have a limited time of effec- 
tiveness. Furthermore, (currently) unexpected advances in 

45 mathematics may render some cryptographic algorithms 
useless, since they rely on (currently) theoretically intrac- 
table computations. A built in mechanism for changing the 
certifying authority 500's keys allows the impact of such 
breakdowns to be limited in duration if new algorithms are 

50 used for reissued certificates (alternatively, this risk can also 
be addressed by using multiple asymmetric key pairs gen- 
erated in accordance with different algorithms to sign and 
validate keys, at the cost of additional decryption time). 
FIGS. 51B, 51C and 51D show additional digital certifi- 

55 cate examples containing different sorts of information (e.g., 
professional credential field 560(7) in the case of certificate 
504(5), address field information 560(8) in the case of 
certificate 504(3), and student credentials field 504(9) in the 
case of student certificate 504(2)). These certificates 504(2), 

60 504(3), 504(5) are tied to identity certificate 504(1) via the 
common ID field 560(5), and both the identity certificate and 
the independent certificate would generally need to be 
presented together. 

FIG. 5 IE shows how an example digital certificate issued 

65 by one certifying authority can — in conjunction with a 
trusted database — be the basis for another certifying author- 
ity to grant another certificate. One certifying authority 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

85 86 

500A can, for example, validate user identity and create the digital certificates 504(1)-504(N) — one for each member 

identity certificate 504(1) shown in FIG. 51A. The user can of the entity, and 

submit this identity certificate 504(1) to another certifying control information 188 that specifies powers (e.g., rights 

authority 500B that has a data base 554a of people and/or or permissions) and "conditions of use." 

organizations who have a particular attribute. For example, 5 Value 564 provides an identifier that uniquely identifies 

certifying authority 500B may be operated by a professional the entity. The "other information" field 568 may provide 

organization that maintains an internal database 554a. Ccr- further information concerning the entity (e.g., the name of 

tifying authority 500B will trust the contents of this internal the entity, the name and address of each participant, the 

database 554a because the certifying authority 500B main- expiration date on which the entity ceases to exist, and other 

tains it and keeps it accurate. 10 information). Signatures 566(1)-566(N) are like signatures 

By comparing the identity information in the FIG. 51A on a partnership agreement — each member of the virtual 

certificate with the contents of the tru sted database 554 a. entity affixes his or her "signature" to indicate assent to be 

certifying authority 500B can issue the FIG. 51B certificate a member of the entity and assent to the conditions being 

without requiring any physical evidence from the owner of granted to each participant. 

the FIG. 51A certificate. This solves an important problem 15 Container 152 in this example further includes an elec- 

of requiring the user to "show up" each time he needs a tronic control set 188 describing conditions under which the 

highly trusted certificate — and also allows the second power may be exercised. Controls 188 define the power(s) 
certificate-generating the process to be automated. granted to each of the participants — including ' (in this' 

FIG. 51E also shows that the certificate 504(2) issued by example) conditions or limitations for exercising these pow- 

certifying authority 500B may be (along with identity cer- 20 ers. Controls 188 may provide the same powers and/or 

tificate 504(1)) a sufficient basis for a further certifying conditions of use for each participant, or they may provide 

authority 500C to issue a further certificate 504(3) based on different powers and/or conditions of use for each partici- 

its own lookup in a trusted database 55 46. pant. 

Another example would be a corporation that has proven For example, controls 188 may grant each participant in 
its identity to the Secretary of State in the jurisdiction in 25 a virtual entity the power to act as a certifying authority 500 
which it is organized. If this corporation has passed muster on behalf of the entity. In this particular example, controls 
to handle hazardous material it could submit its certificate of 188 may allow each party of the virtual entity to make 
identity 504(1) from the Secretary of State (which in this certificates on behalf of the virtual entity — within the con- 
case would comprise certifying authority 500A) to the s train ts of the conditions of use and further with the conse- 
agency (certifying authority 5 COB responsible for maintain- 30 quences defined in the conditions of use specified by con- 
ing the database 554a of which companies are currently trols. As discussed above, the right to grant certificates is 
qualified and authorized to handle hazardous materials. The only an example — any type of electronic right(s) or 
certifying authority 500B could then issue a certificate permissions) could be granted based on any type of elec- 
504(2) attesting to this fact in an entirely automated way if tronic conditions) of use. 

desired. 35 FIG. 51G shows one example process for creating the 

Insert before heading on p 219 Secure Directory Services FIG. 51F container 152. In this example, the parties to the 

(FIG. 52 shows) » virtual entity may negotiate control information governing 

collective action based on, for example, the electronic 

Certification to Allow Participants to Act as Agents negotiation techniques shown in FIGS. 75A-76B of the 

of an Entity 40 Ginter et al. patent specification (FIG. 51G, block 570). The 

Sometimes, one or more participants in a particular value resulting control information 188 specifies "conditions of 

chain, or having a particular relationship with other tt »" such that ma y be exercised by each 

participants, need to be authorized to act on behalf of the participant in the entity, and limitations on each of those 

collection of participants. For example, several parties may rights (which may be defined on a participant-by-participant 

wish to act based on authorization from the partnership or 45 oasis ). 

joint venture of which they are a member— or all partici- ^ participant initiating issuance of digital container 152 

pants within a particular value chain may need to act for the (actually, the participant's protected processing environment 

value chain as a whole. Each of the participants receiving 154 ) ma y a random value for use as entity identifier 

such authority from the entity may need authorization from value 564 (PG* 51G, block 572). The participant's PPE 154 

the entity to act 50 ma y Dext create the certificate information for the virtual 

The present invention provides a mechanism in which .«* the entity ' "*» «« with 

digital certificates 5M may be used to create a "virtual oth « ^TAT ( ^ W f \ £f T 

entity" that can grant any combination of participants any Pf s ™ E 154 n , ext , Y*"? enUty cerfficate 

combination of ihe same or different powers to exercise ■*»■««" ' * ******* parucipan s assent to be a 

, ~ , , „ ■, r w 55 member of the virtual entity and assents to the conditions of 

defined powers under controlled conditions of use. More 33 \ . r ""7. " * ZZ™ , , , 

1, . ■_ • use control information 188 (FIG. 51G, block 576). 

particularly, a digital certificate grants each participant in a JT ■ ' 4l _ , / 

. , . . * u 1* fl t *T The participant s PPE 154 may then make electronic 

virtual entity the power to act on behalf of the entity within . F<""^ ai " t * . . y , 1 • r *• 1 00 

. A « . . - 1 * . container 152, and place into it the control information 188, 

the constraints of the conditions of use and further with any 7T™ . ' " "* . " * e*o 1 

consequences denned in the conditions of use specified by * e ™* al ent f ^rUficate information 564 566, 568, and 

ckctronic controls associated with the container 60 me V*fP*£* 50 f ^dyxng a crypto- 

n „ , , , . graphic key the participant may use to exercise rights (FIG. 

?« WS an e . x ™P electronic container 152 that ^ 57g) ^ participaDt may then determine 

encases the following information: whether any more participants need to be added to the entity 

a value 564 that identifies the "virtual entity," certificate (FIG. 51G, decision block 580). If yes, the 

signatures 566(1)-566(N)— one for each member of the 65 container 152 may be transmitted (FIG. 51G, block 582) to 

entity, another participant member of the virtual entity and 

other information 568 pertaining to the entity, accessed and validated by that next participant (FIG. 51G, 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 
87 88 

blocks 584, 386). The next participant may similarly sign the first publisher to issue certificates 504 to subscribers on 

virtual entity certificate information by adding his signature behalf of the virtual entity comprising both the first and 

566(2) to the list — indicating the she also agrees with the second publishers. The second publisher can be confidant 

controls 188 and agrees to join the virtual entity (FIG. 51G, that the first publisher will only issue certificates in acoor- 

block 588). This new information is used to add to and/or 5 dance ^ the conditions of use negotiated and agreed by 

replace the entity certificate information 564, 566, 568 (FIG. both Polishers. 

51G, block 590). This next participant also adds their own Another example is ai manufacturing process comprising 

certificate 504(2) to the container 152 (FIG. 51G, block multiple participants. Trie conditions of use provided by 

.ny\ controls 188 may allow any of the value chain participants 

J' _ OA eM . . . ... . . 1M . <n in the manufacturing process value chain to perform certain 

10 aaionsonbehalfofThevaluechamasawhole.Forexample, 
been signed by each participant within the virtual entity a maDufacturer> a finished goods ^ plier and the 

("no" exit to decision block 580). The completed container shipping company ^ Sports materials between them 
152 may then be transmitted to all participants (FIG. 51G, may for a virtual entity ^ virtual entity may then subm i t 
block 594). a control set to a transaction authority that describes a 

FIG. 51H shows an example process a virtual entity is pr0 c^ that describes aU mree participants acting in concert, 
participant may use to exercise powers on behalf the virtual For example, the control set created in accordance with the 
entity based on the controls 188 shown in FIG. 51F. The conditions of use applicable to their virtual entity might 
FIG. 51H example process is performed by the participant's ' permit a unified presentation of materials ' requirements, 
protected processing environment 154 based on a request. finished appearance and delivery schedule, as one simple 
The participant's protected processing environment 154 20 example. 

writes an audit record (FIG. 51H, block 594a) and then In another example, a semiconductor company, a systems 
evaluates the request using the conditions of use specified by integrator, and three different suppliers of software may 
controls 188 (FIG. 51H, block 594b), If the request is form a virtual entity supporting the semiconductor compa- 
permitted by the controls 188 ("yes" exit to decision block ny's chip design, simulation, and design testing applications. 
594c, FIG. 51H), the participant's protected processing 25 In this example, certificates may be issued to each company 
environment 154 accesses the virtual entity value 564 from comprising this example entity and to particular individuals 
container 152 (FIG. 51H, block 594d) and uses the control within each of the companies. Rules and controls negotiated 
information 188 associated with conditions of use to fulfill among the companies may specify who has access to which 
the request and perform appropriate consequences (FIG. parts of the software applications and associated databases 
51H, block 594e). In one example, the participant's pro- 30 and who may make modifications to the software and/or 
tected processing environment 154 may act as a certifying data. In this way, the semiconductor company can authorize 
authority 500 on behalf of the virtual entity by issuing a access to outside contractors and/or suppliers and to specific 
digital certificate 504 in accordance with the conditions of individuals representing those outside companies. These 
use digitally signing the digital certificate by encrypting the individuals may be authorized just enough access to solve 
entity identifier value 564 with a cryptographic key corre- 35 typical problems and perform system maintenance tasks, 
sponding to the participant's own certificate 504 within Also, they may be granted additional rights (authorizations) 
container 152, and making the digital certificate part of the for a limited period of time in order to resolve specific 
newly issued certificate. The example may then write addi- problems requiring for resolution access to certain 
tional audit information 594H reporting on the action it has executables and/or data not included in their default permis- 
taken. 40 sions. 

If the requested action is not permitted by controls 188 The virtual entity feature of the present invention 
(FIG. 51H, "no" exit to decision block 594c), the example represents, in part, an extension that builds upon the chain of 
FIG. 51H process determines whether the error is critical handling and control techniques disclosed in Ginter et al. For 
(decision block 594/). If the error is critical ("yes" exit to example, certificates produced in accordance with this 
decision block 594/), the process may disable further use of 45 aspect of the present invention can use capabilities of a VDE 
the information within container 152 (block 594g), writes chain of handling and control to manage a chain of certifi- 
additional audit information (block 594/i), and then stops cates. 

(FIG. 51H, block 594i). If the error is not critical ("no" exit Secure Directory Services 

to decision block 5940, the protected processing environ- 

ment 154 writes additional audit information (block 594A) 50 ™ G 52 shows an sample of a secure directory services 
and may then end this task (FIG. 51H, block 594i). Commerce Utility System 600. Secure directory services 

The processes and techniques shown in FIGS. 51F-51H ma y securely provide electronic and/or other directory infor- 
have a variety of different uses. As one example, suppose mation **** as names ' addresses, public keys, certificates 
that a first publisher publishes a derivative work including and ^ Q ^ Transmittal of such information securely (e.g., 
his own content and content provided by a second publisher. 55 *™a& the ™* oi > * preferred embodiment, the Virtual 
The two publishers may form a virtual entity that allows the Distribution Environment) helps prevent eavesdropping, 
first publisher to act on behalf of the entity— but only in hcl I» ensurcs confidentiality, and provides significant infra- 
accordance with the conditions of use negotiated and agreed s{ruct ™ support by enabling important participant intcrac- 
upon by both partners. For example, the second publisher hon efficiencies. 

may be willing to allow the first publisher to republish the 60 Io morc detail > ^cure directory services provided in 

second publisher's content and to allow excerpting and accordance with these inventions may provide the following 

anthologizing of that content by consumers 95 — but only if example advantageous features and functions: 

the consumers present an appropriate certificate 504 issued Securely and reliably providing directory information 

by the virtual entity attesting to the fact that the consumer is based on a variety of different parameters, including 

permitted to exercise that right. For example, only special 65 various classification information. 

subscribers having certain characteristics may be entitled to May securely provide consumer's, content provider's, 

receive a certificate 504. The techniques above allow the clearinghouse's and/or other party's electronic address 



01/11/2004, EAST Version: 1.4.1 



US 6,6; 

89 

(es) and/or other communication pathway(s) based on 
name, function, physical location, and/or other 
attributes. 

May provide consumer's, content provider's, clearing- 
house's and/or other party's public key(s) and/or 
certificates) based on, for example, name, function, 
physical location, and/or other attributes. 

Protects, and where appropriate may conceal, identity 
related information while efficiently managing and/or 
automating the confidential communicating of requests 
and responses in secure containers. 

Using secure containers and rules and controls to guar- 
antee integrity and non-reputability of content. 

Receiving authority from secure chain of handling and 
control embodied in electronic control sets. 

Distributing secure directory services functions across a 
network or other system (for example, every consumer 
and/or other value chain participant node is potentially 
a distributed secure directory service initiating its own, 
secure directory service transactions directly with one 
or more other participants using VDE as described in 
the Ginter, et al. patent specification). 

Granting authority and/or providing services to, or in 
conjunction with, one or more distributed secure direc- 
tory services sub-clearinghouses whose operations may 
be located logically and/or physically elsewhere, such 
as within a company or government agency and/or 
within one or more jurisdictions and/or serving subsets 
of the overall business focus area of a senior directory 
service authority distributing and/or otherwise autho- 
rizing secure directly service functions across a system 
or network. 

Every consumer and/or certain or all other value chain 
participant nodes can potentially support a secure direc- 
tory services authority providing naming and related 
services and function in the context of the overall 
naming services network, including interoperation with 
one or more other participants interoperable nodes, and 
as elsewhere in this list, all activities employing VDE 
techniques as appropriate. 
May be organized hierarchically to delegate responsibility 
for, and operation of secure directory services for a 
subset of the overall directory based on name, function, 
physical location, and/or other attributes. 
May be organized hierarchically to provide a directory of 

directories, for example. 
May be organized hierarchically, peer-to-peer, or in a 
combined mode where responsibility for directory ser- 
vices may be distributed in differing fashions for dif- 
fering commerce models and/or activities and/or value 
chains and where certain one or more parties may be, 
for example, hierarchically more senior to other parties 
in one or more instances and hierarchically a peer or 
less senior in one or more other instances, that is the 
relationship among participants is programmable and 
may be set (and later modified) to one or more desired 
specific directory service arrangements for given com- 
merce activities, value chains, and/or models. 
FIG. 52 shows an example secure directory services 600 
from a process point of view. In this example, secure 
directory services 600 is an archive that securely keeps track 
of directory information relating to consumers, value chain 
participants and/or electronic appliances, and securely pro- 
vides this information upon qualified demands. In this 
example, secure directory services 600 may provide the 
following functions: 



58,568 Bl 

90 

Database management 606, 
Database search/retrieval 609, 
Database replication 610, 
5 Database propagation 612, 
Authentication 614, and 
Authorization 616. 

Database 606 may be accessed by search and retrieval 
engine 608 which takes consumer-provided input informa- 

10 tion as a source and uses it to retrieve records that are 
relevant. For example, secure directory services 600 may 
receive identities 618 of individuals, organizations, services 
and/or devices; electronic addresses 620; certificate 622; 
and/or keys 624. This information may be stored in database 

is 606. 

In response to requests 602, secure directory services 
search and retrieval engine 608 may access database 606 to 
retrieve additional information (for example, the electronic 
mail address of a certain individual or organization, the 

20 public key of a certain individual, the identity of a person 
having a certain electronic mail address, the identity and 
address of a person having a certain public key, etc.). 

Additionally, secure directory services 600 may return 
access controls, audit requirements and the like. For 

25 example, a user may be required to present valid credentials 
(e.g., a certificate 504) to access the internal email addresses 
of a corporation. Certain fields of information known to the 
database 606 may not be available to all corners (e.g., the 
office location or a particular employee, their home directory 

30 (ies) on the company's servers, etc.; or a consumer's physi- 
cal address may be available to people that present a 
certificate 504 issued by the consumer acting as his own 
certificate authority 500, but no one else. These controls can 
be specified in secure containers that carry the information 

35 to the secure directory service 600. 

When the information is provided to requesters, they may 
be required to use the information only in authorized ways. 
For example, they may be allowed to use the information to 
formulate email messages, but not excerpt a physical 

40 address for a mailing list. These restrictions can be enforced 
by controls 188b the secure directory services 600 associates 
with the information it provides. 

As shown in FIG. S3, secure directory services 600 may 
provide a database 606 and search and retrieval engine 608 

45 in addition to a secure communications facility 626. The 
architecture of secure directory services 600 may be based 
on FIGS. 12 and 13 of the Ginter et al. patent disclosure. 

FIG. 54 shows an example secure directory service pro- 
cess performed by secure directory services 600. In this 

50 example, a sender 95(1) wants to send a message to a 
receiver 95(2). The senders and receivers could be electronic 
appliances 100 owned by consumers, clearinghouses, or the 
like. Sender 95(1) may send an address request 602 to secure 
directory services 600 providing certain information and 

55 requesting other information. In response, secure directory 
services 600 provide the requested information to sender 
95(1) — who may use the information to send a message to 
receiver 95(2). In this example, both the address request 602 
and the responsive information 604 are contained within 

60 secure electronic containers 152 in order to maintain the 
confidentiality and integrity of the requests and responses. In 
this way, for example, outside eavesdroppers cannot tell who 
sender 95(1) wants to communicate with or what informa- 
tion he or she needs to perform the communications — and 

65 the directory responses cannot be "spoofed" to direct the 
requested messages to another location. In addition, as 
discussed above, directory services 600 can include controls 



01/11/2004, EAST Version: 1.4.1 



91 



US 6,658,568 Bl 



188 along with its responses and/or request or require 
controls 188 as part of its input. 

Transaction Authority 700 

FIG. 55 shows an example Transaction Authority Com- 5 
merce Utility System 700. These inventions also enable 
secure "transaction authority" capabilities providing the 
following overall functions: 

Securely validating, certifying, and/or auditing events 10 
(including, for example, authenticating, and, for 
example, for non-repudiation purposes) in an overall 
multi-event transaction or chain of handling and control 
process; 

Securely storing, validating, certifying, and/or distribut- is 
ing control sets (including, for example, authenticating, 
and, for example, for non-repudiation purposes) for 
multi-event transaction or chain of handling and control 
processes; 

Issuing requirements for any or all of the transaction 20 

and/or process steps; and 
If desired, actively participating in the transaction or 
process (e.g., through managing, directing, 
intermediating, arbitrating, initiating, etc., including 
participating in models employing reciprocal control 25 
methods and distributed, automated events for, for 
example, distributed computing, process management, 
EDI, reference to currency, etc.) 
Can certify steps and/or pathways, including certifying 3Q 
proper routing for electronic information through trans- 
action authority telecommunication switches adapted 
to certify certain information and wherein certificates 
certify that a required route was followed and/or the 
sending of such electronic information was pursuant to 35 
certain stipulated rules and controls, for example 
acquiring certain archiving information and/or not 
exceeding budget and/or other limits and/or restrictions 
for, for example: numbers of "shipped" information 
containers in a given period of time, value of electronic ^ 
currency contained within (represented by) a current 
container and/or by containers over a certain period of 
time, financial amount committed in purchase order, 
proper ordering authority, etc. 
The transaction authority may simply be a secure, watch- 45 
ful bystander to, and certifier of, the electronic transaction 
and/or transaction step (in a sequence of overall transaction 
steps), it may be a secure facilitator of a secure plural-party 
electronic transaction, and/or it may actively and directly 
participate in the electronic transaction. 5Q 

In more detail, a transaction authority in accordance with 
these inventions may provide the following advantageous 
features and/or functions: 

Securely maintaining and validating event notification 
information pertaining to a multi-stage transaction and/ 5S 
or chain of handling and control processes). 
May enforce, through requirements for its certification or 
authentication, a sequence of required transaction and/ 
or chain of handling and control processes steps based 
on component representation of elements of a business 60 
process, where, for example, one or more transaction 
authorities respectively certify and/or authenticate one 
or more specific events at one or more step "locations" 
in a transaction sequence. 
May form an overall transaction control set from a 65 
number of discrete sub-control sets contributed, for 
example, by a number of different participants. 



92 



Using reciprocal methods to coordinate required transac- 
tion events, including for example, sequence of events, 
between value chain participants. 

Receiving authority from secure chain of handling and 
control embodied in electronic control sets. 

May intervene to actively manage transactions and/or 
chain of handling and control processes. 

Can coordinate workflow and/or chain of handling and 
control processes and/or other business processes. 

Can provide automatic and efficient management based 
on a trusted, secure distributed electronic commerce 
environment, including certifying and/or authenticating 
steps in distributed proprietary information, EDI, finan- 
cial transaction, and/or trading system value chain 
activities that very substantially improves security for 
distributed rights management, wherein such security 
can meet or exceed the security -available with 
centralized, online commerce models. 

May manage at least a portion of the transactions within 
and/or between value chain participants (e.g., 
organizations, individual consumers, virtual 
groupings). 

May specify and/or monitor, at least in part through the 
use of rules and controls, conditions of satisfaction for, 
and/or consequences of, atomic transactions. 

May direct what happens based on error conditions and/or 
transaction profile analysis (e.g., through use of an 
inference engine and/or expert system). 

Can provide confidential coordination of security, routing, 
prioritizing, and negotiating processes, allowing 
different, distributed parties to work efficiently together 
through a confidential, trusted interface. 

Providing notarization, validation, certification, and/or 
delivery, as appropriate, for secure document and/or 
process control. 

Can certify steps and/or pathways, including certifying 
proper routing for electronic information through trans- 
action authority telecommunication switches adapted 
to certify certain information and wherein certificates 
certify that a proper route was followed and the sending 
of such electronic information was pursuant to certain 
stipulated rules and controls, for example not exceed- 
ing budget or other limits for: numbers of "shipped" 
information containers in a given period of time, value 
of electronic currency represented by current container 
and/or by containers over a certain period of time, 
financial amount committed in purchase order, proper 
ordering authority, etc., are issued to satisfy require- 
ments regarding receiving a proper such certification or 
authentication at a node receiving such routed infor- 
mation. 

Distributing transaction authority functions across a net- 
work or other system (for example, every consumer 
and/or other value chain participant node is potentially 
a distributed usage clearing service at least in part 
initiating its own, transaction authority functions, and 
wherein said participant node may communicate usage 
information directly to one or more other participants) 
and in accordance with rules and controls and other 
VDE techniques as described in the Ginter, et al patent 
specification. 

May provide arbitration, mediation and negotiation 

services, electronic or otherwise. 
FIG. 55 shows a particular example transaction authority 
700 from an overall function viewpoint. Transaction author- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

93 94 

ity 700 provides, among other things, a secure auditing performs most of the processes shown in FIG. 55. Adaptive 

facility for maintaining the current state of an overall control set database 778 may perform the validated event 

transaction or process based upon event notifications it database function. Routing tables 776 may be used as part of 

receives from the participants in the transaction. requirement generation function 734 to route appropriate 

In this specific example, transaction authority 700 per- 5 messages to appropriate entities, 

forms the following functions: Process control logic 774 may include an inference engine 

Event notification collection 730, or expert system for use in handling error conditions not 

Validated event database management 732, M \y anticipated or specified by the event flow requirements 

„ A 760 and/or process routing requirements 762. Process con- 

Requirement generation 734, iq ^ m e ^ oq ^ ^ prindples> 

Secure authenticated auditing 736, ^ ^ neufal networks> or a combiliati on 0 f some or all 

Reporting 738, 0 f mese — or omer method of process control logic. 

Notifying 740, Process control logic 774 determines the next event that is 

Replication 742; and to occur within the overall transaction or process. 

Propagation 744. 15 Document notarizer 780 may be used to provide authen- 

In this example, transaction authority 700 receives noti- ticated document generation, for example, to affix digital 

fications that events have occurred in the form of event seals and/or stenographic information to written and/or 

notifications 748 which may be carried in one or more secure digital documents. 

electronic containers 152. Event notification collection pro- FIG. 57 shows an example transaction authority process, 
cess 730 collects these event notifications 748 and may store 20 In this simplified example, transaction authority 700 may be 
them in a validated event database 732. Transaction author- an entity internal to a corporation used to securely audit and 
ity 700 may generate additional notifications 748' based on direct an overall goods delivery process. In this example, a 
its validated event database 732, and may also issue customer 95 issues an order 788 for goods. This order 788 
responses 750 indicating the current status of a transaction is received by an order receiving department 704 which 
or process in response to requests 752 and/or based on other 25 issues an order event 710 to transaction authority 700. In 
requirements. In addition, transaction authority 700 may response to this order event 710, transaction authority 700 
generate and output audit records 754 indicating the may issue rules and/or requirements in the form of one or 
progress and status of transactions or processes based upon more electronic control sets 188 specifying how the order 
the contents of its validated events database 732 as analyzed receiving department 704 is to handle the order. These rules 
by auditing function 736. Transaction authority 700 may 30 188 may specify, for example, a sequence of chain and 
also issue reports 756 based on its reporting function 738. handling that also directs the activities of a fulfillment 
Validated event database 732 may be a distributed event department 709A, a warehouse 709B, a transportation com- 
notification database, in which case replication process 742 pany 726, and a payment collection department 709C. The 
and propagation process 744 are used to maintain and update rules 188 — which may be passed from one department to the 
the database in a distributed manner. 35 other within secure electronic containers 152 — thus speci- 
Another major function of transaction authority 700 in fies the requirements and overall process flow of the trans- 
this example is to issue new or modified event requirements action that is to occur. Each department may then pass the 
758 that can be used to control or influence an overall secure controls 188 along to the next department, with 
process or transaction. Transaction authority 700 may routing being directed by the rules themselves and/or by 
receive control set 188, prices and permissions 188', event 40 transaction authority 700. Each department may also issue 
flow requirements 760 and/or process routing requirements event notifications 748 alerting transaction authority 700 of 
762. Both event flow requirements 760 and process routing the current status of the overall process. Transaction author- 
requirements 762 can be specified in one or more control ity 700 may store this status information within its secure 
sets. In response to this information and the validated event validated event database 732 for auditing purposes and/or to 
database 732 contents, transaction authority 700 may use its 45 permit the transaction authority to direct the next step in the 
requirement generation process 734 to create new or modi- process. 

fied event requirements 758. Transaction authority 700 may Transaction authority 700 can, for example, use the inter- 
also create new or modified control sets 188" and new or action models shown in FIGS. 17E-1 through 17E-4 to 
modified prices and/or permissions 188'\ Transaction interaction with an ongoing transaction or process. One 
authority 700 may use financial statements 764 as an input 50 particularly useful scenario for transaction authority 700 is 
to its secure auditing function 736. to manage a process performed by multiple parties, such as 

FIG. 56 shows an example architecture for transaction corporations working on a joint venture or other common 

authority 700. In this example, transaction authority 700 objective. In this type of business scenario, multiple corpo- 

(which may be based on the VDE rights operating system rations may be working toward a common overall goal but 

("ROS") architecture shown in Ginter et aL FIGS. 12 and 55 may themselves have their own objectives internally such 

13) includes a secure communications facility 770, a data- as, for example, protecting their own confidential trade 

base and transaction processor 772, process control logic secret information. Transaction authority 700 can be used as 

774, routing tables 776, and an adaptive control set database an independent third party mediator/arbitrator to coordinate 

778 (these functions could be performed by methods at one activities between the multiple corporations without requir- 

or more control sites). In addition, transaction authority 700 60 ing any of the corporations to expose detailed process 

may also include a document notarizer 780 including a seal information to anyone other than transaction authority 700. 

generator 782, a digital time stamp generator 784, and a For example, transaction authority 700 can generate con- 

fingerprintAvatermark generator 786. trol sets specifying event flow and/or process routing 

Secure communications facility 770 permits transaction requirements 758 and/or control sets 188 that mean different 

authority 700 to communicate in a secure manner over 65 things in different contexts. As an example, a control set mat 

electronic network 150 (for example, via secure electronic transaction authority 700 issues might cause one corporation 

containers 152). Database and transaction processor 772 to perform one step and another corporation to perform 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

95 96 

another step — with each corporation never learning the block 762 to monitor events. If the atomic transaction is 

particular step or sequence of steps being performed by the complete (" Y") exit to decision block 765), the transaction 

other corporation. Thus, transaction authority 700 can authority 700 determines that the transaction is finished 

develop control sets 188 that can be used to provide only (FIG. 58B, block 774). 

partial disclosure between different individual or corporate 5 If the incoming event is an error condition (T exit to 

actors. FIG. 58B decision block 764), transaction authority 700 

FIGS. 58A and 58B show example steps and processes processes the error event in the control superset 188Y(FIG. 

performed by transaction authority 700 to perform an 58B, block 766). If the error is not critical (FIG. 58B, 

"atomic transaction". In this example, transaction authority decision block 767, "N" exit), then control returns to block 

700 performs a role that is somewhat analogous to the coach 10 762 to wait for the next event notification to arrive, 

of a football team. By accepting the skill set and require- If the error is critical (FIG. 58B, decision block 767, "Y" 

mentsof each individual "player" and linking them together exit), transaction authority 700 may call a critical error 

into an overall "game plan/' the transaction authority 700 handing routine (FIG. 58B, block 768). Critical error han- 

can involve any number of value chain participants in an dling routine 768 may attempt to resolve the error based on 

overall "atomic" transaction. 15 the rules within the control superset 188Y and/or on an 

In this example, each value chain participant 164(1), . . . inference engine 774 or other process control logic. Such an 

164(N) in a process administered by transaction authority inference engine or other process control logic 774 may be 
700 could contribute' a control set 188(1), '. . '. 188(N) * programmed concerning the business model of the overall 

specifying or governing the participant's own business transaction so it has enough information to select appropri- 

requirements, limitations and processes for the transaction 20 ate actions based on error conditions. 

(FIGS. 58A and 58B, block 750). These individual control The process shown in FIG. 58B can be nested. For 

sets 188(1), 188(N) specify how each individual participant example, the sub-transaction defined by one "participant" 

performs its own role. Each participant 164(1) . . . 164(N) may itself be an atomic transaction based on the contribu- 

knows its own role in the overall transaction, but may have tions of a number of participants — all of which are managed 

no idea what roles others may play or have any clear idea 25 by the same or different transaction authority 700. 

how to form a "team" of other participante-and so these Checkpoint Commerce Utility System 

individual control sets 188(1), 188(N) typically describe J J J 

only sub-transactions and may not take overall transaction A Commerce Utility System 90 can include service func- 

considerations into account. uons tnat enable it to perform as a "Security Checkpoint 

Transaction authority 700 also receives another control 30 System 6000" (see FIG. 58Q that provides security, 

set 188X specifying how to link the various participants' archiving, and non-repudiation services that can certify 

control sets together into overall transaction processes with and/or authenticate communicated information in certain 

requirements and limitations (FIGS. 58A and 58B, block ways. Security Checkpoint Systems 6000 can: 

752). This overall transaction control set 188Y specifies how provide a distributed, highly efficient, and automated 

to resolve conflicts between the sub-transaction control sets 35 auditing and archiving layer for electronic commerce 

188(1), 188(N) provided by the individual participants (this interactions, and 

could involve, for example, an electronic negotiation pro- enhance the depth of security of a distributed security 
cess 798 as shown in FIGS. 75A-76A of the Ginter et al. environment such as VDE and the Distributed Corn- 
patent disclosure). The transaction authority 700 combines merce Utility layer. 

the participant's individual control sets — tying them 40 Thus, Security Checkpoint System 6000 may perform 

together with additional logic to create an overall transaction security and/or administrative functions. This Commerce 

control superset 188Y (FIGS. 58A and 58B, block 752). Utility System capability takes the positive benefits of 

Transaction authority stores the resulting control superset centralized security models (e.g., ability to have a central 

188Y in local storage (FIG. 58B, block 754). This overall authority physically control the processing node) and 

control superset controls how transaction authority 700 45 deploys these capabilities into a distributed "user space" 

processes events to perform an "atomic" transaction. model that can achieve maximum efficiency and flexibility, 

Upon receipt of an incoming event requiring processing support secure and manageable scalability (a principal 

(FIG. 58B, block 756), transaction authority 700 may acti- weakness of centralized systems), and provide the enhanced 

vate the overall transaction control superset 188Y (FIG. security benefits of multiple, independent, secure environ- 

58B, block 758). The transaction authority 700 may then 50 ment layers. The latter capability is particularly adapted for 

deliver corresponding reciprocal control sets corresponding highly sensitive communications desiring extra security 

to portions of the overall transaction control superset 188Y assurance. These security layers are enabled by the required 

to each participant in the transaction — thereby enabling each participation and security processing of one or more inde- 

participant to communicate with the superset (FIG. 58B, pendent security checkpoint protected processing environ- 

block 760). Alternatively, each participant in this example 55 ments that reinforces the foundation distributed security 

may — at the time it contributes its control set 188(1), 188(N) environment. 

to transaction authority 700 — maintain a reciprocal control Information that passes through one or more Security 

set that can communicate with the control set the participant Checkpoint Systems 6000 can be certified and/or authenti- 

sent to transaction authority 700. cated to assure an information recipient (e.g., a party reoeiv- 

Transaction authority 700 may then begin monitoring 60 ing information in a container) that certain communications 

events received using the activated control superset (FIG. functions and/or security steps (processes) occurred prior to 

58B, block 762). If the mcoming event is not an error receiving the information. This certification and/or authen- 

condition ("N" exit to FIG. 58B decision block 764), then ti cation can include, for example, certifying or authenticat- 

transaction authority 700 determines whether the event ing proper communication routing through required and/or 

indicates that the atomic transaction is complete (FIG. 58B, 65 authorized protected processing Security Checkpoint Sys- 

block 765). If the atomic transaction is not complete ("N" terns 6000. Such checkpoints may be, for example, distrib- 

exit to FIG. 58B, decision block 765), control returns to uted throughout a telecommunications network, and "local" 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

97 98 

to the physical and/or logical location of end-user VDE or archiving of some or all portions of said container's 

nodes (see FIG. 58C). content Some of this information may be at least in part in 

Security Checkpoint Systems 6000 may employ telecom- encrypted such that one or more portions of such informa- 

munication switches adapted to certify and/or authenticate may not be decrypted without the cooperation of one or 

certain information and processes. For example, certificates 5 more of me container sender, the intended and/or actual 

issued by a Security Checkpoint System 6000 may certify container recipients), and/or a government body having 

that a required route was followed and that a required authority to access such information. . 

checkpoint examined a communicated secure electronic FIGS ; 5 » C and 58 P T * how c aD exam *£ of a "^pomi 

container, and/or that the sending of such a container or Commerce Utility System 6<M)0 arrangement that 

. . . . r ^ _r j * * provides communication checkpoint security, non- 

other electronic ^information was performed pursuant to 10 £ d ^ KIvice5 mc context of a 

certain stipulated rules and controls For example, such a te j^o mmunications network connecting users 95(1), 95(2), 

service can help ensure and/or certify and/or authenticate, 95(3) , n ^ exampIe> me security checkpoint systems 6000 

that certain budgets, other limits, and/or restrictions are not may ^ parl 0 f me telecommunications infrastructure. For 

exceeded, and/or certain other requirements are met. example security checkpoint systems 6000 may be part of 

For example, a Security Checkpoint System 6000 may 15 one or more telecommunications switches or other equip- 

help ensure requirements (including that limits or other ment that has been designed to detect secure electronic 

restrictions are not exceeded) for: the number of "shipped" containers 152 based, for example, on the header informa- 

information containers in a given period of time; the value tion they contain. 

of electronic currency contained within (or represented by) Security checkpoint systems 6000 in this example have 
a given container and/or by containers over a certain period 20 the secure ability to control whether or not a secure container 
of time (very important to reduce improper electronic cur- 152 transmitted through the communications infrastructure 
rency activities); the financial amount committed in a pur- will be permitted to pass — and the consequences of routing 
chase order, including that proper ordering authority is the container through the communications infrastructure. In 
present; and so on. Such requirement assessment may be in one example, controls operating with a user 95(1) 's pro- 
reference to, for example, container (or other digital infor- 25 tected processing environment may require certain kinds of 
mation communication) activity communicated from a cer- containers 152 (e.g., containers that carry electronic 
tain logical and/or physical area, node, node group, user or currency) to include controls 404 that require them to be 
user organization, and/or other user grouping, wherein said routed through a security checkpoint systems 6000 (or a 
reference is determined through referencing secure node certain class of security checkpoint systems). Such controls 
and/or individual user and/or organization and/or area iden- 30 404 ^ prevent the container 152 or its content (e.g., 
tification information as, for example, a VDE secure con- currency it contains) from being used unless it is routed 
tainer travels through said adapted one or more telecommu- through the appropriate security checkpoint system 6000. 
nication switches. F° r example, suppose that user 95(1) wishes to send a 

These Commerce Utility System "communications secure container 152 to user 95(2). In this example, the user 
checkpoint" capabilities can provide useful security features 35 95 (1) transmits the container 152 to user 95(2) through the 
by, for example, providing one or more "independent" telecommunications infrastructure. That infrastructure may 
distributed security "check points" along a telecommunica- detect that lDe information being sent is a container, and may 
tion route that substantially increases security reliability by route me container for interception by the a security check- 
requiring the presence of a proper certificate and/or authen- P oint system (system 6000(5), for example), 
tication securely provided by such checkpoint and securely 40 Security checkpoint system 6000(5) may, after intercept- 
associated with and/or inserted within said container by a m g tDC container 152, examine the control information 
process managed by said checkpoint (or a group of within the container to determine whether requirements for 
checkpoints). This presence can be tested by a receiving further communicating the container to user 95(2) have been 
node— and a proper certificate or authentication can be satisfied. Security checkpoint system 6000(5) may forward 
required to be present, for example according to rules and 45 the container to user 95(2) only if those requirements have 
controls, before such receiving node will process at least a Deen met— or it may modify the container to permit user 
portion of the content of one or more classes of received 9%*) ^ ™* the container subject to the container's 
containers. Such container classes may include, for example, controls 404 (which may limit use, for example). The 
containers from specific individuals and/or groups and/or security checkpoint system 6000 may be authorized to 
containers and/or container contents that have certain one or 50 modify at least a portion of the container's controls 404 — for 
more specific attributes. example to add further use limitations. 

Security Checkpoint Systems 6000 may be "independent" This FIG. 58C example shows two "webs" of security 
of end-user Virtual Distribution Environment nodes from a checkpoint systems 6000. In this example, these "webs" 
security perspective. Such nodes may, for example, be represent collections of security checkpoint systems 6000 
independent from a security perspective because they use 55 mat have each been certified (by a Certifying Authority 500 
key management to maintain multiple secure execution f° r example) as being: 
compartments within their protected processing environ- (1) a security checkpoint system, and 
ments for checkpoint management, such that a security (2) a member of the particular class, 
breach in end-user nodes shall not directly comprise the Hence, in this example "web 1" represents the class of 
security of checkpoint operation, and to help ensure that a 60 certified security checkpoint systems 6000(l)-6000(5), 
breach related to a secure execution compartment will not 6000(7); and Web 2 represents the class of security check- 
comprise other such compartments. point systems 6000(4)-6000(6). As one example, "web 1" 

Security Checkpoint Systems 6000 may also gather audit security checkpoint systems 6000 may be certified as' being 

information including, for example, retrieving identity infor- capable of handling containers containing electronic cur- 

mation of intended container recipients), class(es) of con- 65 rency 6004. 

tainer information, checksum and/or other information One of the requirements specified within the control 

employed for future validation (e.g., non-repudiation), and/ information associated with the container 152 may be that it 



01/11/2004, EAST Version: 1.4.1 



us 6,6: 

99 

must pass through a "web 2" security checkpoint system 
(e.g., system 6000(5)) — for example, to enable certain 
secure auditing functions such as trusted electronic currency 
tracking. A "web 1" security checkpoint system (e.g., system 
6000(3)) may refuse to pass the container 152 to user 95(2) 
based on these controls 404— or it may refuse to modify the 
container 152 to make it usable by user 95(2). 

By way of further example, suppose user 95(2) wishes to 
pass the container 152 along to another user 95(3). The 
controls 404 associated with the container 152 may require, 
in this particular example, that further communication of the 
container 152 must be through a "web 1" security check- 
point system 6000(7). This routing requirement maybe been 
present in the controls 404 provided by user 95(1), or it may 
be added by security checkpoint system 6000(5) or the user 
95(2)*s protected processing environment. 

In the particular example shown, the controls 404 may 
enable the "web 1" security checkpoint system 6000(7) to 
pass the container 152 along to user 95(3) via a further 
routing that does not include a security checkpoint system 
6000 (e.g., via another type of commerce utility system 
and/or a non-secure telecommunications switch). 

FIG. 58D shows an example process performed by an 
example security checkpoint system. In this example 
process, the security checkpoint system 6000 receives a 
container 152 (FIG. 58D, block 6002) and determines 
whether the requirements specified by its associated controls 
404 have been satisfied (FIG. 58D, decision block 6004). If 
the requirements have been satisfied, the security checkpoint 
system 6000 may perform "requirements satisified" 
consequences, e.g., modifying controls 404 to satisfy the 
routing requirement mentioned above (FIG. 58D, block 
6006). If the requirements are not satisfied (FIG. 58D, "N" 
exit to decision block 6004), the security checkpoint system 
may perform "requirements not satisfied" consequences 
(FIG. 58D, block 6008). 

Each set of consequences may involve some form of 
secure auditing, for example. If the security checkpoint 6000 
passes a container 152 containing electronic currency for 
example, the security checkpoint 6000 may record one or 
more of the following auditing information: 

sender identity, 

sender node identity, 

receiver identity, 

receiver node identity, 

certificate(s) on which the currency is based, 
other security checkpoints 6000 the currency has passed 
through, 

the identity of prior handlers of the currency, 

date, time, and location of transmission, 

date, time, and location of receipt, 

how long the currency has been in transit, and 

other secure auditing information. 

If the security checkpoint system 6000 refuses to pass 
and/or modify a container 152, it may produce an audit 
report including available tracking information, for 
example: 

sender name, 

nature of deficiency, 

intended receiver, and 

other tracking information. 
It may also notify the sender, the intended receiver, a 
government agency, or other authority. It may further charge 
a "failed communication" overhead fee to the sender, for 
example. 



58,568 Bl 

100 

The security checkpoint system 6000 may then determine 
whether additional communications are required (FIG. 58D, 
decision block 6010). If not, the process may complete. If 
additional communications are required ("Y" exit to deci- 
5 sion block 6010), the security checkpoint system 6000 may 
transmit the container 152 to the next system (FIG. 58D, 
block 6012). The next system may be an additional security 
checkpoint system 6000 that performs additional processing 
(FIG. 58D, blocks 6016, 6004, 6006, 6008). 

10 

EXAMPLES 

Example — Electronic Content Distribution Value 
Chain 

is FIG. 59 shows how example Distributed Commerce Util- 
ity 75 can be used to support an example electronic content 
distribution value chain 162. In the FIG. 59 example, an 
author 164 may create a valuable work, such" as a novel, 
television program, musical composition, or the like. The 

20 author provides this work 166 (for example, in electronic 
digital form) to a publisher 168. 

The publisher may use his own branding, name recogni- 
tion and marketing efforts to distribute the work to a 
consumer 95. The publisher 168 may also provide the work 

25 166 to a content "aggregator" 170— someone who provides 
customers access to a wide range of content from multiple 
sources. Examples of aggregators include, for example, 
traditional on-line information database services and World 
Wide Web sites that host content from many diverse sources. 

30 Typically, consumers use an aggregator's services by search- 
ing for information relevant to one or more consumer- 
defined topics. An aggregator 170 may provide the search 
tools to the consumer 95 who will make their own selec- 
tions. 

35 The aggregator 170 might distribute the work 172 con- 
taining some or all of the original work 166 directly to 
consumer 95. Aggregator 170 may also distribute the work 
172 to a "repackager" 174. Repackager 174 may, for 

^ example, take content from several sources on related mat- 
ters and combine them into mixed source products, such as 
multimedia combinations, newsletter publications, or "cur- 
rent awareness" packages. In these services, the repackager 
makes the selection of content and organizes based on 

45 audience-indicated interest. A consumer 95 may subscribe to 
an electronic newsletter on a particular topic or the con- 
sumer may give the repackager 174 a short list of topics they 
are interested in. The repackager 174 will select relevant 
information and communicate the information to the cus- 

5Q tomer. Here the repackager is doing the selecting for the 
consumer. 

For example, repackager 174 might be the publisher of a 
newsletter and might republish some or all of the author's 
work 166 in this newsletter 176. Repackager 174 could 

55 directly distribute newsletter 176 to consumer 95, or the 
newsletter could pass through still additional channels. 
Repackager 174 could use a search engine provided by 
aggregator 170 to find articles of interest to consumer 95 and 
combine those articles into an electronic newsletter that has 

60 both the aggregator 170's brand and the repackagers 174's 
brand, and then send the newsletter to the consumer 95. 

Distributed Commerce Utility 75 may support the FIG. 59 
value chain in a number of ways. For example: 

1. Certifying authority 500 can issue certificates that 

65 allow each of the value chain participants to identify who 
they are and to demonstrate that they are members of one or 
more particular classes. For example, author 164 and/or 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 
101 102 

publisher 168 might specify that any certified aggregator or a seamless manner— one or more template applications may 

repackager is entitled to excerpt or anthologize work 166 so be distributed with a control set by such distributors of such 

long as appropriate payment is made. Certifying authority control sets (or may be otherwise made available) to such 

500 could issue digital certificates 504 supporting this control set recipients. In one particular "superdistribution" 

desired business objective, the certificates certifying that 5 business model, work 166 is allowed to be distributed as 

aggregator 170 is in fact a reputable aggregator and that widely as possible, and rights and permissions clearinghouse 

repackager 174 in fact a reputable repackages So long as 400 does the work of providing current control sets 404 

author 164 and/or publisher 168 trust the security of the authorizing particular value chain participants to use the 

overall system 50 and the certificates 504 issued by certi- work in particular ways under particular conditions, 

fying authority 500, they will have no fear that the work 166 to 3. Usage clearinghouse 300 in this particular example 

will be excerpted or anthologized by anyone other than the may support the value chain by collecting usage information 

appropriate types of people they specify. from each value chain participant. The usage clearinghouse 

In another example, certifying authority 500 could issue may thus provide a secure auditing function, generating, 

a certificate 504 to aggregator 170 or other user. Certifying for example, reports that track how many times the work 166 

authority 500 could issue this certificate 504 at the direction *5 has been used and bow it has been used, 

of author 164 or publisher 168. The certificate 504 may attest As one example, usage clearinghouse 300 might analyze 

to the fact that author 164 or publisher 168 agree that usage information to determine how many consumers 95 

aggregator 170 or other user is authorized to modify certain have read the work. Usage clearinghouse 300 can, for 

permissions 404. Author 164 or publisher 168 may have example, report consumption information in varying 

specified permissions 404 so that that will allow themselves 20 amounts of detail and/or specific kinds of information, to 

to be modified only on the condition that an "authorized various value chain participants consistent with privacy 

aggregator" certificate is present. concerns and the accepted business rights of each party. As 

In another example, certifying authority 500 could issue one sample, the usage clearinghouse 300 might give con- 

a certificate to one or more classes of users, enabling, for sumer 95 a verv detailed report about his or her own 

example, utilization of content and/or specific portions of 25 particular usage of work 166, while providing author 164 or 

content and/or modification of permissions, which such publisher 168 with only summary report mformation that 

enabling may be limited to specific utilization and/or modi- mav > for example, not include the consumer name, address, 

fication by employing certain VDE rules and controls put in or other direct, identifying mformaUon. 

place by the author or publisher or certificate authority (as M example, reports could also flow directly from 

allowed by in place rules and controls). 30 repackager 174 to the aggregator 170, publisher 168 and 

, . . i • u . author 164. Reports may be directed along any logical 

2. Rights and permissions clearinghouse 400 in this . * . c i- ^ 

particular example may be used to renter work 166 and P* 1 ™?' dlK ^' 01 tta ™& "V of parties, and 

issue appropriate permissions 404 consistent with authori- con « amm 8 k 1Df °T f°^h party as .s 

j • • *- j j u u i u * acceptable to the value chain and as may be enforced, for 

zations and instructions provided by each value chain par- „ v . , * . • . , , 7 A . . * 

ticipant. For example, the author 164 could register work 35 at ! eas, 1 1D P ar V by ^i™' 65 

166 with rights and permissions clearinghousTm and 4 - * maDC > al ^nnghouse 200. io to example may 

specify an electronic Control set 404 denning the rights of P r0Vld f. secure of fina ° ciaI . ***\f of rt th . e 

t « • transaction — ensuring that appropriate value chain partici- 
every other value chain participant. 4 ... . f , . . . . 

J pants compensate other appropriate value cham participants. 

For example: 40 As one example, financial clearinghouse 200 may receive 
This control set 404 could specify, as one example, that payments from consumer 95 based on the consumer's use of 
publisher 168 can distribute an unlimited number of wor fc \^ anc j distribute parts of the payments appropriately 
copies of the work 166 so long as the publisher pays the to aulhor 1*4, publisher 168, and other appropriate value 
author 164 a certain dollar amount for each copy participants in an automated, efficient process man- 
distributed. 45 a ged a t least in part by VDE rules and controls. For example, 
The control set 404 might permit publisher 168 to add his financial clearinghouse 200 might interface with other banks 
own additional controls that allow consumer 95 to read or financial institutions to accomplish an automation of 
the work 166 an unlimited number of times but pre- payment transfers, and/or it might assist in managing elec- 
vents the consumer from copying or redistributing the tronic money maintained within the overall value chain 
work, 50 shown. Financial clearinghouse 200 may also assist in 
Although the electronic control set may travel in an ensuring that itself and the other Commerce Utility Systems 
electronic container 152 with the work 166, it may also 90 are appropriately compensated for the administrative and 
be provided separately. For example, rights and per- support services they provide, that is, for example, secure 
missions clearinghouse 44M) might, upon request, sup- VDE processes operating within Commerce Utility Systems 
ply a control set associated with work 166 to anyone 55 90 may automatically ensure the payment to such admin is- 
who requests a control set. trative and support service providers. 
Rights and permissions clearinghouse 400 might maintain 5. Secure directory services 600, in this example, may 
different versions of the control set 404 for different user support the example value chain by facilitating electronic 
classes so that, for example, consumers 95 might receive one communications between value chain participants and/or 
control set 404*3, aggregators 170 might receive another 60 between Commerce Utility Systems 90. For example, secure 
control set 4046, and repackagers 174 might receive a still directory services 600 can, upon request, provide electronic 
further, different control set 404c. Each of these control sets address and/or routing information allowing one value chain 
can be provided in advance by author 164 or other rights participant to electronically contact another. As one 
holders, providing a "pre-approved permissioning" system example, suppose a consumer 95 wants to obtain the latest 
that makes widespread usage of work 166 extremely effi- 65 addition of work 166 but discovers that the electronic 
cient and yet highly secure, and further, such control sets address of publisher 168 has changed. Consumer 95 can 
may interact with VDE distributed template applications in electronically contact secure directory services 600, which 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 
103 104 

can provide current address information. Of course, in capabilities, including rules and controls and secure com- 

commercial trading system applications, for example, secure munication techniques, would preferably be used as a foun- 

directory services may provide much more elaborate ser- dation for the above activities. 

vices for the identification of desired parties, such as multi- E ^ of How Commerce Utility Systems Can 

dimensional searching of directory resources for identifying 5 Support One Another 

parties based on class attributes. Secure directory services 

600 may also provide services that enable the identification FIGS. 16A-16E described above show how different 

of content, for example based upon content type and/or rules Commerce Utility Systems 90 can support one another. In 

and controls associated with such content (pricing, allowed morc detail, FIG. 16A shows that a financial clearinghouse 

usage parameters such as redistribution rights, etc.). 10 200 ma y provide services to one or more other Commerce 

6. Transaction authority 700 in this example might be Utility Systems 90, including, for example, the usage clear- 
used to assist repackager 174 in developing newsletter 176. inghouse 300, the rights and permissions clearinghouse 400, 
For example, transaction authority 700 might help in auto- the certifying authority 500, the secure directory services 
mating a process in which a number of different works 600, the transaction authority 700 and another financial 
created by a number of different authors were all aggregated 15 clearinghouse 200'. Under such circumstances, the plural 
and excerpted for publication in the newsletter. Transaction Commerce Utility Systems constitute both a virtual clear- 
authority 700 can securely maintain the current status of an inghouse and a higher order Commerce Utility System, 
overall multi-step process, specifying which steps have ' In each instance, the financial' clearinghouse 200 may 
already been performed and which steps have yet to be collect funds due the support services and deposit these 
performed. Transaction authority 700 can also, for example, 20 funds to at least one provider account employing at least one 
help arbitrate and mediate between different participants in payment method The financial clearinghouse 200 may also 
such a multi-step process, and can in some cases actively provide VDE audit records confirming the source and 
influence or control the process (for example, by issuing new amount of the funds and the provider account in which the 
instructions or requirements based upon error or other funds were deposited by the financial clearinghouse 200. 
conditions). 25 The financial clearinghouse 200 may provide assistance to 

one or more other support services in establishing provider 

Example— Manufacturing Cham accounts and communicating to such one or more support 

FIG. 60 shows an example manufacturing value chain services the account number and/or numbers and terms and 

supported by Distributed Commerce Utility 75. In this conditions that may apply. Both the support service request 

particular example, a customer 95 places an order with a 30 to the financial clearinghouse 200 and its responses to the 

manufacturer 180 and receives an order confirmation. The requesting support service can be communicated in VDE 

manufacturer may order parts and supplies from a number of secure containers (as mentioned earlier) to take advantage of 

different suppliers 182(1)-182(N). Suppliers 181(1)-182(N) their substantial security, confidentiality, flexible control 

may, in turn, order additional parts or sub-assemblies from architecture, and trustedness, and can be processed at each 

additional suppliers 182(al), .... A bank 184 may supply 35 location by one or more VDE Protected Processing Envi- 

funds to suppliers 182 based on proofs of order and assur- ronments. Financial and account information may be pro- 

ances that the manufacturer will pay back the advances. A vided in the form of VDE control sets and/or be incorporated 

transportation/warehousing company 186 may provide in VDE control sets by the financial clearinghouse. 200 

transportation and warehousing for supplies and/or final and/or by one or more other support services. Financial 

products. 40 clearinghouses 200 may also provide services to each other 

In this value chain, certifying authority 500 and transac- to promote further operating and administrative efficiencies, 
tion authority 700 can assist with secure flow of electronic For example, one financial clearinghouse 200 may provide 
orders, confirmations, terms and conditions, and contracts, services to its counterparts in other countries or in other 
and can also help to ensure that each value chain participant geographic regions. In another example, one financial clear- 
can maintain the desired degree of confidentiality while 45 inghouse 200 may provide another financial clearinghouse 
exchanging necessary information with other value chain 200 access to one or more payment methods not directly 
participants. Usage clearinghouse 300 may assist in secure supported by the second financial clearinghouse 200. 
auditing of the overall process, tracking of physical and FIG. 16B shows that the usage clearinghouse 300 may 
electronic parcels between the value chain participants, and also provide services to other Commerce Utility Systems 90. 
other usage related operations. Financial clearinghouse 200 50 In one example, the usage clearinghouse 300 may provide 
may handle the financial arrangements between the value raw data, aggregated data, at least in part derived 
chain participants, for example, assisting in coordinating information, and/or reports to other electronic commerce 
between the world of electronic network 150 and a paper- support services such as financial clearinghouses 200, rights 
oriented or other world of bank 184. Rights and permissions and permissions clearinghouses 400, certifying authorities 
clearinghouse 400 may provide a secure archive for elec- 55 500, secure directory services 600, transaction authorities 
ironic controls 404 defining parts or all of the transaction. 700, and other usage clearinghouses 300'. These other 
Transaction authority 700 may securely monitor the overall infrastructure services may use this information as indepen- 
progress of transactions occurring among value chain dent third party verification of certain transactions and their 
participants, and provide periodic status reports as appro- details, for market research on behalf of their own services, 
priate to each value chain participant. In addition, transac- 60 and/or to resell this information, perhaps in conjunction with 
tion authority 700 can assist in directing or arbitrating the their own usage information. In one example, a rights and 
overall transactions to ensure that all steps and requirements permissions clearinghouse 400 might sell reports to a pub- 
are fulfilled. Secure directory services 600 can assist in lisher containing a combination of their own information, 
routing information electronically between the different and that from the financial clearinghouse 200 and usage 
value chain participants. Of course, as previously stated for 65 clearinghouse 300 plus secure directory service 600 and 
the present inventions and as applicable throughout this certifying authority 500. More specifically, a report might 
specification, VDE chain of handling and control and other contain a list of objects registered at the rights and permis- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



105 



106 



sioos clearinghouse 400 by a particular publisher, the num- 
ber of requests to the rights and permissions clearinghouse 
for updated or additional rights and permissions, financial 
clearinghouse 200 summary revenue numbers for each digi- 
tal property, the number of certificates by the certifying 
authority 500 on behalf of the publisher indicating that the 
user had been certified and had a valid subscription to the 
publisher's digital works, and the number of requests to the 
secure directory service 600 seeking information about the 
network addresses of the publisher's online web servers. In 
each case, a support service provided the information to the 
rights and permissions clearinghouse for incorporation in 
this report to the publisher. 

Example — Distributed Commerce Utility 75 Can 
Support Digital Property Purchasing. Licensing 
and/or Renting Transactions 

'Distributed Commerce Utility 75 provides significant 
trustedness, security, convenience, and efficiencies for 
instances in which customers pay for digital information. 
Moreover, information creators and distributors can price 
this information — indeed, any digital property in any digital 
format — in various ways and in different ways in different 
markets. 

FIG. 61 shows an example of an information delivery 
service arrangement 1000 in which an information provider 
168 provides electronic content for purchase, rental and/or 
licensing. In this example, an information services company 
168 distributes information 166 to several global markets, 
including individuals, Their market areas include 
professionals, home office users, and the small office 
marketplace, as well as medium and large companies and 
consumers at home. For example, provider 168 may deliver 
content 166 in electronic form to a home consumer 95(1), a 
professional such as a lawyer 95(2), and to a corporation or 
other organization 95(3). In one example: 

an individual consumer 95(1) buys under subscription 
pricing three articles 166(1) from an online encyclo- 
pedia; 

a lawyer 95(2) buys three chapters 166(2) from a treatise 

on patent law; and 
two product marketing managers in a large company 

95(3) receive a proprietary market research report 

166(3). 

Prior to information delivery transactions, the consumer 
95(1), professional 95(2) and company 95(3) may use a 
secure directory service 600 to locate the network address of 
the information provider 168 as well as assist in identifying 
the content they wish to work with. Subsequently, these 
parties 95 may send an electronic message to provider 168 
requesting the specific information they want to receive. 
Provider 168 may deliver this information 166 within VDE 
secure electronic containers 152 along with associated rules 
and controls 188 that control pricing and permissions. Each 
of parties 95 has an electronic appliance 100 including a 
protected processing environment 154 that enforces these 
controls 188. 

The provider 168 can price information differently for 
different markets. For example: 
professionals 95(2) and SOHO (small office/home office) 

pay transaction fees; 
large companies 95(3) pay a mixture of subscription and 

transaction fees (e.g., company 95(3) may pay $10 per 

page printed or excerpted from a larger report, and may 65 

also pay a subscription fee); and 
Individual consumers 95(1) pay a flat subscription rate. 



In each of these cases, local, state, and/or federal sales 
taxes, as appropriate, are included in the retail price. Pay- 
ment methods may be provided within electronic control 
sets 188 delivered in electronic containers 152 with, and/or 
5 independently of, the associated content 166 (for example, 
as provided in Ginter, et al). 

A financial clearinghouse 200 ensures that provider 168 
receives payment through any authorized payment method. 
The information delivery service 168 accepts a broad range 
10 of payment methods. Some forms of payment are more 
popular in certain markets than in others. For example: 
In the professional, SOHO, and consumer markets, credit 
(MasterCard and Visa) and charge (American Express) 
are popular. 

Consumers 95(1) also like credit cards, and are making 

increasing use of bank debit cards. 
Large, companies 95(3) also .use credit and charge cards, 
payment through Automated Clearinghouses (ACHs), 
and billing and payment through traditional and VDE 
secure Electronic Data Interchange (EDI) transactions 
based, for example, on X.12 protocols. 
A financial clearinghouse 200 makes payment more effi- 
cient in several ways. For example, financial clearinghouse 
200 furnishes provider 168 with a convenient, "one stop 
shopping" interface to the several payment methods, and 
keeps track of the at least one account number associated 
with a given provider. 

In this particular example, a certifying authority 500 may 
deliver digital certificates to each of consumers 95 specify- 
ing a consumer's one or more classes. For example, certi- 
fying authority 500 may deliver: 
one or more certificates 504(1) attesting to the fact that 
consumer 95(1) is an individual consumer subscriber 
to. information service 1000 and further attesting to the 
fact that the consumer is a registered college student 
and is a resident (for the taxation purposes related to the 
transaction) of California, 
a certificate 504(2) attesting to the fact that professional 
95(2) is a lawyer admitted before the bar of the State of 
California, and 
one or more certificates 504(3) attesting to the fact that 
corporation 95(3) is a legally incorporated entity and 
has a certain credit worthiness. 
Control sets 188 may activate the different payment 
methods based on the presence of an appropriate digital 
certificate 504. For example, control set 188(1) delivered to 
consumer electronic appliance 100(1) authorizes consumer 
95(1) to use each of the three articles 166(1). Control set 
188(1) may, for example, contain a requirement that the 
consumer 95(1) must have a certificate 504(1) from an 
independent certifying authority 500 (or from the informa- 
tion distributor or other party acting in a certifying authority 
capacity under authorization from a more senior certifying 
authority) attesting to the fact that the consumer 95(1) has a 
subscription that has not yet expired to the online encyclo- 
pedia. This certificate 504(1) may, for example, be used in 
conjunction with other certificates issued by the certifying 
authority 500 (e.g., perhaps run by, or authorized by, the US 
government or other governing body) attesting to the fact 
that the consumer 95(1) is a US citizen, resides within the 
US, and is a legal resident of the State of California. 



15 



20 



25 



30 



35 



40 



45 



50 



55 



60 



The Individual Consumer 

The consumer 95(1) pays the information provider 168 
for the subscription through a transaction transmitted to the 
financial clearinghouse 200 in a VDE electronic container 



01/11/2004, EAST Version: 1.4.1 



US 6,6: 

107 

152. The payment transaction may involve, for example, the 
consumer appliance 100 sending to financial clearinghouse 
200 an electronic container 152(7) including rules and 
controls 188(4) and audit records 302(1). The audit records 
302(1) may indicate, for example: 

who should be paid, 

the amount of the transaction, 

the particular payment method (a VISA card, for 
example), 

the subscriber's VISA card number and expiration date, 
an identifier of the information subscription, and 
the number of the provider's account to which the pay- 
ment should be credited. 
The secure container 152(7) may also contain rules and 
controls 188(4) indicating that municipal, California and US 
federal sales taxes should also be collected. The financial 
clearinghouse 200 collects the appropriate sales taxes and 
deposits the funds in the appropriate accounts, for example 
certain funds would be deposited in the account belonging to 
the appropriate State of California tax collection agency 
1002. 

In exchange for the payment, the subscribing customer 
95(1) may receive from certifying authority 500 a certificate 
504(1) indicating she is in fact a subscriber and the expira- 
tion date of the current subscription. 

The Professional 

The lawyer 95(2) in this example may be located in the 
United Kingdom. He purchases the three chapters 166(2) 
from a treatise on patents using a MasterCard, but pays in 
pounds sterling rather than in dollars. To perform the pur- 
chase transaction, the lawyer 95(2) may first be preautho- 
rized by the financial clearinghouse 200 for purchases each 
month of up to $500 US (or the equivalent in pounds). The 
pre-authorization may be sent from the financial clearing- 
house 200 to the lawyer's appliance 100(2) in the form of a 
budget control 188(5) in a secure container 152(8). The 
protected processing environment 154(2) within the law- 
yer's appliance 100(3) may open the container 152(8), 
authenticate the budget record 188(5), and store the control 
within an associated secure database maintained by PPE 
154(2). 

Upon receiving opening each of the three chapters 166(1), 
the lawyer's protected processing environment 154(2) may 
create an associated audit record, and may decrement avail- 
able credit in the budget record by the amount of the 
purchase. At month end, or when the $500 preauthorized 
credit has been exhausted, the lawyer's PPE 154(2) may 
send to the financial clearinghouse 200, a secure container 
152(9) with audit records 302(2) indicating all the 
purchases, their amounts, and the provider account or 
accounts to be credited, this supporting efficient automation 
of clearing processes. The financial clearinghouse 200 may 
open the secure container 152(9), debit the lawyer's credit 
card account, and pay the appropriate provider accounts 
their due. 

The Company 

Preliminary to content transactions, a distributed corpo- 
rate financial clearinghouse 200A within the company 95(3), 
while operating under the authority of the financial clear- 
inghouse 200, sends to each of managers 95(3)A, 95(3)B a 
secure container 152 a budget record 188 indicating their 
currently approved monthly information and market 
research budget A corporate distributed certifying authority 



i8,568 Bl 

108 

500A (in the same trust hierarchy as the certifying authority 
500, in this example) may also issue digital certificates 504 
(not shown) to employees of the company. 

In this example, each product manager 95(3)A, 95(3)B 

5 prints selected portions of the report and the budget on his 
or her local appliance 100, which is decremented by $10 for 
each page printed. The protected processing environment 
154(3) within the local electronic appliance 100(3) securely 
performs this process, conditioning it on controls 188(3) that 

10 may require appropriate digital certificates 504(3) issued by 
certifying authority 500 and/or the distributed corporate 
certifying authority 500A 

According to controls 188(3) supplied by the information 
provider, for example, at the end of the month, or when the 

1S budget for that month is exhausted, the corporation's appli- 
ance 100(3) sends to the corporate internal financial clear- 
inghouse 200A audit, records (not shown) indicating any 
purchases that might have been made during the reporting 
interval and the amounts and provider account numbers for 

20 those purchases. The distributed, local corporate financial 
clearinghouse 200A aggregates the sums in the audit records 
and sends in a secure container 152(12) at least one audit 
record 302(3) to the external financial clearinghouse 200 to 
authorize payment of the total amount owed the provider of 

25 the market research reports through an Automated Clear- 
inghouse (ACH). Also in the secure container 152(11) (e.g., 
as part of audit record 302(3)) are the account number of the 
company 95(3) from which the funds should be debited and 
the account number of the market research company that 

30 issued the report into which the funds should be credited. 
The financial clearinghouse 200 completes the payment 
process through the ACH and sends a VDE secure container 
(providing at least one audit record) back to the internal, 
corporate financial clearinghouse 2 00 A as confirmation. 

35 Distributed clearinghouse 200A may, in turn, send, using a 
secure container (not shown), at least one confirming audit 
record to each of the product managers 95(3)A, 95(3)B. 

Example: Distributed Commerce Utility 75 Can 
40 Support Transactions Where A Consumer Purchases 
and Pays For A Tangible Item 

A significant portion of electronic commerce will entail 
the sale, purchase, distribution management, and/or payment 
for intangibles of all kinds. Commerce in tangibles has many 
45 of the same security, trustedness, and efficiency require- 
ments as commerce in intangibles (e.g., digital information). 
For the computer to become a true commerce appliance, a 
distributed, secure, trusted rights/event management soft- 
ware layer (e.g., rights operating system or middleware) 
50 such as the Virtual Distribution Environment described in 
the Ginter et al. specification is a necessity. Thus, even when 
tangibles rather than digital properties are the object of 
secure electronic commerce, Distributed Commerce Utility 
75 can play an important role. 

FIG. 62 shows an example tangible goods purchasing and 
payment system 1010. In the FIG. 62 example, imagine a 
well-known provider of clothing and certain related house- 
hold items, for example, L.L. Bean or Lands' End, offers 
their wares over a digital network such as the Internet/World 
Wide Web. In this example, the company creates: 

a Web catalog server 1012 to offer a line of clothing to 
consumers 95, 

a web fulfillment server 1014 that is an interface to the 
65 fulfillment function, and 

a third web server 1016 that acts as a secure financial 
clearinghouse 200 and as an interface to several pay- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

109 110 

ment methods (e.g., MasterCard ("MC"), VISA, and information 1024 in a secure container 152(3) and sends the 

American Express ("AMEX"). container back to the fulfillment service 1014. Fulfillment 

The company also in this one example server 1014 opens the container 152(3) and reads the field 

registers the service with the secure directory service information 1024. Fulfillment server 1014 creates a VDE 

provider 600, and 5 audit record indicating receipt of information 1024. Fulfill- 
through the financial clearinghouse 200, establishes a ment server 1014 may also create a control set 188 and/or an 

provider account with at least one payment method, cvent notification that initiates a purchase transaction. 

such as a credit card, debit card, and/or bank, and Fulfillment server 1014 may communicate with ware- 

, , . iL t #u house 1018 directly or through transaction authority 700. 

registers several transactions with a transaction authority _ . . 3 AMA *T , . . 3 

10 The fulfillment server 1014 then determines whether the 

T 4 . . ' , . # »u *u * required items are in stock and available to be shipped. If 

In this example, the company registers with the transac- * 7-,. A + MA , A . « * « ■ j % 

»u •» 4aa u u u a' i 'l uj < fulfillment server 1014 determmes that the required items 

tion authority 700, which may be a distributed transaction . , . . A . , , 1, . - 

.* . • , . are m stock and available to be shipped, and if the lnfor- 

authonty within the company selling the goods, an atomic * IC . m ™. aau *u • ■ . ♦ 

: . . . . . , , mation 1024 provided bv the consumer is sufficient to 

transaction comprising at least one electronic control set that , I tS, " y . 7. . 4 

, - - r . & 15 proceed, the fulfillment service sends back to the consumer 

describes, for example: ' W eb page 1022C indicating: 

sending the order to the fulfillment Processing one or purchase can be fulfilled, 

more organizations such as a warehouse 1018 and r ~- ■ ■•■ 

logistics 1020 (which may or may not be the same « to vanous sales taxes and delivery charges, 

company), tnc address provided and class of delivery service chosen, 

receiving confirmation that the desired merchandise is in new ficlds for payment related information, and 

fact in stock, a query asking whether the consumer wishes to proceed, 

receiving confirmation of the order, The folfiUmcnt service 1014 also sends audit records 

. r. # 302(1) to the consumer's PPE 154 and to the transaction 

receiving payment pre- authorization from a payment iL v ' „ M . . , . , ^ - . 

method for the particular customer placing the order, 25 ™ "^f^f partS ° f the ^ at ° miC 

. . . . r . . f. transaction have been fulfilled. 

shippmg instructions for the merchandise, [f me cosAogaBt 95 determines he or she does not wish to 

confirmation that the merchandise was actually shipped, continue with the transaction after viewing fulfillment 

aQ d details, his or her appliance 100 can send a secure VDE 

controls for completing the payment transaction. 3Q container 152(5) to the fulfillment service 1014 and to the 

In this one example, the company also obtains at least one transaction authority 700 indicating that the transaction is 

digital certificate 504 from a certifying authority 500 attest- canceled. If the customer 95 says yes, please continue with 

ing to at least one fact, for example, that the transaction, the customer is prompted to pick a payment 

the company is a legitimate corporation registered in the method from among the list provided. In this example, the 

State of Delaware; 35 list corresponds to payment methods supported by both the 

the company is not in bankruptcy and/or the company has merchandise provider and by the financial clearinghouse 

a certain degree of creditworthiness, 200. The customer 95 fills in credit or charge card number, 

the company has been assigned a particular Federal tax for example, expiration date, and billing address. 

Identification Number, and u P° n completion of the required information, the cus- 

that the company has State tax Identification Numbers in 40 * mer ' s appHance lOO can send the formation using his or 

each of several states, the specific states and their £er secure PPE, in a secure VDE container 152(5) to the 

corresponding Identification Numbers, financial clearinghouse 200, and may send a separate VDE 

A customer 95 uses his or her electronic appliance 100 ™ atamer shown ) wth an audlt record 10 me transactl0D 

with Web browsing capabilities to access the catalog server au _P n \ \ , , . , . . . 

1012 over the Internet's World Wide Web. The catalog 45 The financial clearinghouse 200 gets pre-authonzation 

server 1012 sends the customer 95 a web page 1022 pro- from m£ crcdlt ^processing company, and, for example, 

viding a page from an electronic catalog. Web page 1022 ««« a *«« ^ "f™" lS %*> *b prc- 

may be sent in one or more secure electronic containers authorization approval information 1026 to the fulfillment 

152<1). The customer 95 displays the web page 1022Ausing *™ 1014 Vm ™% clearinghouse 200 may ^nd another 

his or her electronic appliance 100, and elicits on the part of 50 T J\ J3>? f ****** ™ ^ 

the web page showing a men's short sleeve Oxford button an * ud, « record 302 < 2 ) > ndlcata g completion of the pre- 

down shirt selling for $15.95. The current Web page is ^"TSn a t. .u ,m C 

replace by a web page 1022B from the fulfillment server ™» fulfillment server 1014 may send a further VDE 

1014. This second web page 1022B may be sent in a secure secur ^, n ^ n " 1S2 &> to ^e customer 95 widi a new Web 

container 152(2) 55 pagc *®22D and audit record mformaUon 302(3) indicating 

The customer's electronic appliance 100 has a protected ^ at " 

processing environment 154. PPE 154 opens the secure the order P rocess 15 complete, 

container 152, and displays the page 1022B on the screen. the ^ has beeo approved by payment method, 

The page 1022B being displayed is a form that has several when the goods are shipped, the customer's credit card 

fields including the catalog number and description of the 60 will be charged the total amount, and 

shirt and retail price. The customer 95 fills in fields for color, a transaction confirmation number for further reference in 

neck size, normal or tall person, normal or trim fit, and order to be able to make inquiries with the fulfillment 

quantity. The customer 95 also indicates where the shirt(s) service 1014 and/or with the transaction authority 700 

are to be delivered, the class of delivery service desired, and The fulfillment service 1014 (e.g., in cooperation with 

the customer's address. 65 warehouse 1018) packages the goods, hands them off to an 

Upon the customer 95 completing the required express delivery service 1020, and, for example, sends VDE 

information, the electronic appliance 100 puts the form field secure containers 152(9), 152(10) with audit records 302(4), 



01/11/2004, EAST Version: 1.4.1 



US 6,6; 

111 

30(5) indicating shipment to the financial clearinghouse 200 
and the transaction authority 700, respectively. In this 
example, the express delivery service ("logistics") 1020 also 
sends a VDE secure container 152(11) to the transaction 
authority 700 and to the fulfillment service (and also, if 
desired, to the customer 95) indicating that the express 
service 1020 has taken possession of the package. 

Upon delivery of the package with the merchandise, in 
this example, the express delivery service 1020 sends a VDE 
secure container 152(12) containing an audit record 302(7) 
indicating that delivery of the package has been completed 
to the transaction authority 700 which then marks the 
transaction completed and then may send additional VDE 
secure containers 152 indicating completion to the financial 
clearinghouse 200, to the express delivery service 1020, to 
the fulfillment service 1014, and in some examples to the 
customer 95. 

Example: Distributed Commerce Utility 75 Can 
Support Transactions In Which Customers Pay For 
Services 

A hallmark of advanced Western economies, especially 
the economy of the United States at the end of the present 
century, has been the transition from a largely 
manufacturing, "smoke stack" economy to not only an 
"information economy" but to a "service economy** as well. 
Distributed Commerce Utility 75 can support transactions in 
which customers pay for, and in many examples, consume 
or otherwise make use of services. 

FIG. 63 shows an example online service system 1030. In 
one example, an online service 1032 registers with the 
secure directory service 600 and obtains a digital certificate 
504(1) from a certifying authority 500 attesting to identity of 
the online service. The online service also agrees to trust 
certificates 504 issued by the certifying authority 500 and by 
parties certified by the certifying authority 500 to issue 
certificates for specified facts. 

For example, the online service 1032 agrees to accept 
certificates 504(3) issued by a distributed certifying author- 
ity 500A from parents certified by the certifying authority 
500 (through certificate 504(2)) to issue certificates attesting 
to the facts that they have children and that these children are 
currently minor children. In turn, the online service 1032 
will not allow children so certified to access certain subject 
matter materials distributed by the online service nor to 
accept digital signatures based on those certificates for 
purchase transactions, unless the adult person responsible 
for the child has issued another certificate attesting to their 
willingness to be financially responsible (e.g., uncondition- 
ally or for purchases up to some specified limit per trans- 
action or some aggregate level of spending in a specified 
time period, in one example, so much per month). These 
certificates 504(2), 504(3) may be sent from the certifying 
authority 500 to the parent and/or to at least one child in a 
VDE secure container 152. 

Now suppose the child 95(2) subscribes to an online game 
called "chat." Online service 1032 has a Web interface 
specifically designed for school aged children. This service 
1032 offers a subscription that must be renewed quarterly. 
Using an electronic appliance 100 such as a personal com- 
puter or TV and settop box with bi-directional communica- 
tions and a protected processing environment 154, the child 
95(2) uses secure directory services 600 to locate the online 
service 1032, and sends a message requesting a subscription. 
In response, the online service 1032 sends to the parent 
95(1) or guardian in a VDE secure container 152(4), a 



8,568 Bl 

112 

request 1034 for payment, membership, and member infor- 
mation. The parent or guardian and/or other paying indi- 
vidual 95(1) provides his or her (or their) credit card 
numbers), expiration date(s), and billing address informa- 
5 tion 1036 in one or more other secure containers 152(5) to 
the online service 1032. 

In this example, the online service 1032 communicates 
the customer's service account, credit card and/or other 
payment information 1036 to the financial clearinghouse 
io using a VDE secure container 152(6) (in a variation on this 
example, the parent 95(1) may have provided this financial 
and related information directly to the financial clearing- 
house 200 in a VDE secure container 152(5)). The online 
service provider 1032 also provides to the financial clear- 
15 inghouse 200 the clearinghouse network address and pro- 
vider account number. Within a protected processing envi- 
ronment (which may, for example, comprise a general 
purpose computer locked in a physically secure vault or 
other secure installation), the financial clearinghouse 200 
20 opens the secure container 152(6), extracts the payment 
information 1036, and completes the payment transaction 
with the credit card company. 

For this example, the financial clearinghouse 200, in turn, 
communicates the following information 1038 (this list is 
25 for illustrative purposes only and does not detract from the 
general case in which any available set of information might 
have been communicated) to the online service 1032 in at 
least one secure VDE container 152(7): 

VDE audit record for this transaction, 

transaction authorization number, 

provider account number, 

account number of the customer at the service, and 
amount of the payment. 
35 In turn, the online service 1032 sends a secure container 
152(8) to the customer 95(1) indicating that payment has 
been accepted. In one example, online service 1032 may 
instruct certifying authority 500 to issue a certificate 504 
attesting to the validity of the subscription until a specified 
40 date. Online service 1032 may also provide audit records 
302(1) derived from the information 1038 provided by the 
financial clearinghouse 200. 

Each time the child 95(2) logs on to the online informa- 
tion service 1032, the child's PPE 154 checks to determine 
45 if any certificates 504 are present or known and if so, 
whether: 

these digital certificates attest to an current, unexpired 

subscription to the online service, and 
any minor child certificates are present and valid (for 
50 example, have not expired because the child has not yet 
reached their 18* birthday). 
Having ascertained through these certificates 504 that the 
child 95(2) is authorized to use the online service 1032 and 
is prohibited from accessing certain "adult" content, the 
55 online service grants selective access, that is to authorized 
portions. 

Among the features of this online service are distributed, 
multiperson interactive games. The child 95(2) in this 
example plays the game with at least one other authorized 

60 and certified minor child — adults are precluded by underly- 
ing VDE rules and controls from playing this game in this 
particular example. At least one portion of the software (e.g., 
executable code and/or interpretable code, such as Java) that 
implements at least one portion 1040 of the at least one game 

65 can be download from the online service 1032 to the child's 
information appliance 100(2) using at least one VDE secure 
container 152(9). 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 
113 114 

Using methods described in the Ginter et al. disclosure, notification of preauthorization, retailer 1046 may ship the 

these programs and/or portions of programs 1040 are deter- goods 1047 to the company 1042. Following delivery of the 

mined to be authentic and unmodified. At least one of the merchandise 1047, the retailer 1046 creates at least one VDE 

keys used to calculate the one way hash function that audit and/or billing record 1052 in at least one VDE secure 

produces the digital signature used for determining the 5 container 152(2), and transmits the container to the financial 

integrity of the at least one program 1040 or at least one part clearinghouse 200 (audit information may also or alterna- 

of a program is bound to the identity of the online service tively be sent to retailer 1046). 

1032 by a certificate 504 issued by certifying authority 500. Th e financial clearinghouse 200 then completes the 

As the child 95(2) in this example plays the game, at least charge card transaction by allocating the total payment 
a portion of his or her activities are metered according to 10 amount to each of the value chain participants represented 
methods disclosed in the co-pending Ginter et al. application by control set 188a (which it may have received, for 
and audit records 302(2) are created that indicate this child's example, directly from retailer 1046 and/or through corn- 
usage. At certain times, these audit records 302(2) are paa y 1042). In this way, the distributors 1048 and/or manu- 
transmitted to the online service 1032 which may, in this facturers 1050 receive their payments at the same time the 
example, include a usage clearinghouse 300. Usage clear- 15 re tail seller 1046 receives its payment. Control set informa- 
inghouse 300 analyzes these usage records 302(2), and may ti on ig&z may also indicate shares of the total payment and 
use them to determine how much to charge child 95(2). provider account numbers for local, state, and federal taxes, 
, „ , ^ „ « if any, and, for example, for delivery charges, such as to an 
Example: Distributed Commerce Utility 75 Can Be overnight express company, if any. 
Used to Provide Value Chain Disaggregation for 2 o ^ * A , , 4 . . . 

Purchase and/or Use of Tangible hems J*"* mG «4 exampU shows that value chain fcaggre- 

gation can apply for both tangibles and for intangibles. 

Distributed Commerce Utility 75 can be used to facilitate Similar techniques can also be used much further back 
a purchase or other type of transaction relating to tangible through the manufacturer's 1050 supply chains if so desired 
goods. FIG. 64 shows an example tangible goods delivery (e.g., to the providers of the metal from which the paper clips 
system 1040. For example, a company 1042 places an order 25 were fabricated), 
for office supplies using an electronic appliance 100 includ- 
ing a PPE 154. The order is for a box of paper clips, a stapler, Example— Distributed Commerce Utility 75 Can 
staple, a case of 85x11 inch copy paper, and a dozen Hel P Distribute Digital Properties By Providing 
yellow legal size note pads. The items are manufactured by Registry And Other Services 
a manufacturer 1050, distributed by a distributor 1048, and 30 Distributed Commerce Utility 75 can assist the electronic 
sold to the company by a retailer 1046. community in efficiently distributing electronic or digital 

In this example, a financial clearinghouse 200 receives a properties or content. For example, using an electronic 

payment 1052 from the company 1042, and disaggregates appliance 100 equipped with a protected processing unit 

the payment by dividing it up into disaggregated payments 35 154, a creator or other rights holder 400 sends a digital 

1052A, 1052B, 1052C which it delivers to each of retailer object in a secure container to a rights and permissions 

1046, distributor 1048 and manufacturer 1050. clearinghouse 400 to be registered. 

For example, the company 1042 sends its order 1044 The rights and permissions clearinghouse 400 opens the 

within a VDE electronic container 152(1) to a retailer 1046. container using, for example, its own VDE protecting pro- 

In this example, retailer 1046 provides a fulfillment service w cessing unit, and assigns a uniform object identifier indicat- 

that receives the order 1044 and, in response, provides a ing the identity of the creator, the type of object being 

control set 188 indicating the provider account number of registered" — software, video, sound, text, multimedia, etc., 

the distributor 1048 and/or manufacturer 1050 of each item and the digital signature for the object. The uniform object 

and the percent of the retail price to be received by each. If identifier may be globally unique or may be unique only in 

desired, retailer 1046 may provide a different control set 188 45 the namespace domain of the creator or some other entity, 

for each item ordered (regardless of quantity) — allowing such as an online service, digital library, or specific 

different payment disaggregation to be performed on an jurisdiction, such as a specific country, 

item-by-item basis. Retailer 1046 may provide this control in this example, using its protected processing 

set 188a to company 1042. environment, the rights and permissions clearinghouse 400 

Control set 188a may be conditioned on the presence of 50 digitally signs the uniform object identifier with the rights 
one or more digital certificates 504 issued by certifying and permissions clearinghouse private key and returns the 
authority 500. For example, control set 188a may require object and identifier to the person or organization registering 
company 1042 to provide a digital certificate 504(1) issued it in a VDE secure container. The rights and permissions 
by the certifying authority 500. Certificate 504(1) attests to clearinghouse 400 may retain a copy of the object or may 
the identity of the ordering company 1042. The company 55 retain only the uniform object identifier for the object, and 
504(1) may provide another certificate 504(2) in the same the signatures for the object and its uniform object identifier, 
chain of trust hierarchy as the certifying authority 500 In another example, the rights and permissions clearing- 
warranting that the person placing the order is authorized to house 400 digitally signs a new object comprised of the 
place orders up to a specified spending limit per order. original object and its uniform file identifier, and stores both 
Company 1042 may provide the same or different certificate 6 q the new object and/or its signature in the rights and permis- 
504(2) also indicating that the purchaser employee within sions clearinghouse 400 archive. 

the company is authorized to make use of a corporate charge The creator may have also sent in a VDE secure container 

card. a permissions and pricing template 450 (see FIGS. 

In this example, the company 1042 pays with a corporate 45A-45Q indicating which permissions are granted, the 

charge card. The financial clearinghouse 200 first gets 65 prices to be charged upon exercising those permissions, and 

payment authorization from the credit card company prior to if applicable, the individual, class and/or jurisdiction to 

the retailer 1046 shipping the merchandise. Upon receiving which those prices and permissions apply. More than one 



01/11/2004, EAST Version: 1.4.1 



US 6,658, 

115 

permission and pricing template 450 may be sent in a single 
VDE secure container 152, or separate VDE secure contain- 
ers 152 may be used for each permission and pricing 
template. 

In this example, using a VDE secure container 152, the 5 
object is then transmitted from the creator to a distributor 
168 (see FIG. 16). Using a certificate 504, the distributor 168 
can prove to the VDE instance (PPE 154) interpreting the 
creator's control set that the distributor is indeed authorized 
to selectively alter permissions and prices of the object and 10 
creates a new permissions and pricing template. The dis- 
tributor 168 then sends a VDE secure container to the rights 
and permissions clearinghouse 400 containing the uniform 
object identifier together with the new controls. In the 
preferred embodiment, if the object remains unmodified, the 15 
distributor 168 has the option of leaving the uniform object 
identifier unmodified; however, if the distributor has modi- 
fied the object, perhaps to add its own brand, then the 
uniform object identifier must be modified to reflect the 
distributor's version. The digital signature is recomputed 20 
using the private key of the distributor. As before, the object 
registry has the option of storing only the digital signature or 
both the signature and the actual object. 

Example — Distributed Commerce Utility 75 Can 25 
Be Used to Facilitate Copyright Registration 

As a value added service, the rights and permissions 
clearinghouse 400 can provide a copyright registration ser- 
vice (see FIG. 43). The rights and permissions clearinghouse 3Q 
400 can send a copy of the object to the appropriate online 
copyright registration service of the appropriate government 
agency 440, for example, the US Copyright Office. The 
object and uniform object identifier may be sent in a VDE 
secure container together with controls indicating the mode 35 
of payment, if a registration or processing is being charged. 

In this example, the copyright registration service can 
send at least one VDE secure container to the financial 
clearinghouse 200 with at least one audit record indicating 
the amount to be paid, the payment method and account of ^ 
the registering party, and the account of the government to 
receive the funds, and receives in return in a VDE secure 
container an audit record indicting that the transaction has 
been pre -authorized (or that for whatever reason, the pro- 
posed transaction has not been authorized). 45 

If the transaction has been pre-authorized by the financial 
clearinghouse 200, a VDE enabled computer located, in this 
one example, in US Copyright office opens the secure 
container and adds the uniform object identifier and the 
object to the registration database. Under a chain of trust 50 
emanating from the certifying authority 500 — which in this 
example may be operated by, or on behalf of the US 
government — the copyright registration service issues at 
least one digital certificate 504 attesting to the facts that an 
object with a specified uniform object identifier and with a 55 
specified digital signature has been in fact registered with 
the registration authority and that the at least one person is 
in fact the owner of the copyright at the time the object was 
registered. This certificate 504 is sent in a VDE secure 
container to the person who registered the object (and/or go 
who was named as the person to be notified) and to the rights 
and permissions clearinghouse 400 who, in turn, may pro- 
vide copyright registration information upon request in a 
secure VDE container. 

The copyright registration service sends at least one VDE 65 
secure container to the financial clearinghouse 200 with at 
least one audit record instructing the clearinghouse 200 to 



,568 Bl 

116 

proceed with fulfillment of the pre-authorized transaction (if 
all necessary information was part of the pre- authorization 
process) and/or providing information to the clearinghouse 
200 regarding, for example, the amount to be paid, the 
payment method and account of the registering party, the 
account of the US government to receive the funds, and that 
the payment transaction should be completed, and receives 
in return from the financial clearinghouse in a VDE secure 
container an audit record indicting that the transaction has 
been completed and funds deposited in the appropriate 
account or accounts, or that the payment transaction fail and 
the reason why it failed to be completed. 

Example — Distributed Commerce Utility 75 Can 
Support Renewal Or Modification Of Permissions 
And Prices 

Distributed Commerce Utility 75 can further facilitate the 
distribution of electronic and digital properties by providing 
a mechanism for renewing rights and permissions that have 
expired. See FIG. 42A. 

Id one example, suppose an employee of a Fortune 1000 
company has a control set for a digital property, perhaps a 
piece of software or a Java applet, that has expired. The VDE 
protected processing environment on the employee's com- 
puter can send a VDE secure container to the rights and 
permissions clearinghouse 400. 

Distributed Commerce Utility 75 can also facilitate the 
distribution of electronic and digital properties by providing 
a mechanism for distributing rights, permissions and prices 
that have been changed by one or more participants in a 
distribution chain. In one example, suppose a customer has 
a digital object on her hard disk and its VDE control set as 
distributed by the publisher. The permissions and prices 
originally indicated a pay per use model in which the user 
pays 10 cents for each operation on the object, such as 
printing or viewing. 

To determine if new rights and prices are now available, 
the protected processing environment on the customer's PC 
can send a VDE secure container to the Rights and Permis- 
sions clearinghouse 400 using its network address obtained 
from the control set together with MIME-compliant elec- 
tronic mail. The customer obtained the address of the rights 
and permissions clearinghouse from the secure directory 
service 600, having, for example, sent a query in a VDE 
secure container and having received a response in a VDE 
secure container. 

The VDE secure container sent to the rights and permis- 
sions clearinghouse 400 contains the object identifier plus a 
request for the current controls including prices. The pro- 
tected processing environment at the rights and permission 
clearinghouse 400 server opens the VDE secure container, 
retrieves the most recent control set from the database of 
controls, and sends via return electronic mail another VDE 
secure container with the desired controls. The customer's 
protected processing environment opens this container, and 
replaces and/or augments the expired controls with the new 
ones. The customer is now able to use the content according 
to the rules and controls specified in the control set just 
received from the rights and permissions clearinghouse and 
processed by the instance of VDE on the local computer or 
other appliance. In this example, these new rules and con- 
trols have reduced the pay per use price from ten cents per 
operation to five cents per operation. 

Example — Distributed Commerce Utility 75 Can 
Support Models To Distribute New Rights 

Distributed Commerce Utility 75 can also support trans- 
actions in which some or all rights are not initially distrib- 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 
117 118 

uted to the ultimate consumer with the content, but must be large enough to make the overall price of the course pack 

requested instead. In one example, suppose a lawyer decides higher than the maximum s/he desires, 

to go into the publishing business by combining her/his own Using the negotiation mechanisms disclosed in Ginter et 

articles with other materials obtained from legal information a i. f or example, FIGS. 75A-76B), the professor 

distributors. The legal information distributors have chosen 5 attempts a negotiation with the rights and permission clear- 

a rights and permissions clearinghouse 400 to be their inghouse 400. The rights and permissions clearinghouse 

distributor of control set information for their many prop- 4QQ y [ n turn, automatically determines it lacks the authority 

erties. With each object they register at the rights and to negotiate and redirects the negotiation to the publisher, 

permission* ; clearinghouse 400 mey ajso register two control Havin obtained m opriate certificate 504 from a 

sets in the formats described in the Ginter et al. disclosure: 10 certfficatfi authority 500 by providing credentials indicating 

one control set specifies default controls including prices membership in the class "higher education", the protected 

for retail customer, and processing environment of the publisher's Web server 

a second control set conveys rights and prices seldom of makes an offer of a new, modified control set for the property 

interest to the retail customer, for example, the antholo- targeted for this professor. The controls have a discounted 

gjzing right. 15 price, require that the copies be printed on a VDE enabled 

The attorney newsletter publisher obtains a chapter from authorized printer that will keep track of the number of 
a treatise on patent law and wants to include a 1000 word copies printed, and report back to the various parties to the 
excerpt in the newsletter in addition to other articles. Having transaction using VDE techniques. Still unhappy with the 
already obtained the treatise chapter and its retail control set, price, the professor sends a VDE negotiation counter-offer in 
the newsletter publisher sends an inquiry in a VDE secure 20 a secure container to the publisher. The publisher's VDE 
container using Internet MIME-compliant e-mail to the instance negotiates with the professor's negotiation counter- 
rights and permissions clearinghouse 400 asking for the offer control set and an agreement is reached that and 
excerpting right and the anthologizing right for the chapter provides a new control set with the new, agreed-upon prices 
identified by the enclosed uniform object identifier. The a nd terms and conditions to the professor, who then goes 
lawyer found the rights and permissions clearinghouse 400 25 ahead to produce the course pack. The rights and permis- 
using a secure directory service 600 (alternatively the rights sions clearinghouse 400 is willing to grant the reduced price 
and permissions clearinghouse 400 address may be con- in part because the professor in this example is able to 
tained in the original retail version received by the lawyer). provide a digital certificate attesting to the fact that she has 

The rights clearinghouse 400 checks the object database, a full-time appointment at the University of California, Los 

locates the control set information for the object named in 30 Angeles and has a certain, minimum number of students 

the universal object identifier, and determines that both the WD o will employ the materials. This authentication meets 

excerpting and anthologizing rights are available along with requirements stated by the publisher to the rights and 

the prices for each. The excerpting right does not convey the permissions clearinghouse 400. 
right to modify the excerpted portion. The anthologizing 

right is conveyed along with controls that set the price to a 35 Example — Certification of Executables 

30% discount from retail prorated for the length of an Qnc valuable ^ of ccrti fying authorities 500 is for the 

excerpt if the whole chapter is not anthologized. issuance of digital certificates on behalf of the government. 

Using a VDE aware page composition apphcaUon, the m additioQ to certificates attesting to identity, legal 

newsletter publisher combines several works, including the ^ ^ goverameDt certifying authorities 500 might 

1000 word excerpt into a new work, and registers the new ^ ^ certifying executables, for example load 

object with the rights and permissions clearinghouse mod|lteL For exampIe> government certifying authorities 

together with its control set(s). The newsletter publisher also 5ft0 at all levels mi ^ { certify the m of execu tables that 

registers the new object with a copyright re^trahon represeDts the laws lrade practices of their administra- 

function, for example, the US Patent and Copyright Office. dve districts For example, Saudi Arabia might insist that all 

Hie newsletter publisher distributes the new work in a VDE « Uanccs m (heif control have Ioad modules 

secure contamer, which also contains control sets for each of ccrtificd b t he government that examine attributes of con- 

the separate anthologized works, and for the whole, com- |aincB tQ insurc that onl a p propriate content is released. 

pletenewsletteraswelLThelocal VDE protected processmg ^ ^ of ^ cerlif y a load module mal 

environment on the appliance of the user keeps track of calcu i a tes state tax, etc. 

usage according to the controls that apply to the composite 50 

object and to the controls of each of its parts for which there Example — Entertainment Distribution 

are separate rules. At some time, the VDE instance sends _. M „ , _ ..... , , . «- 

audit xcords to the usage clearinghouse 300 and to the . D ,? nbu ! e fi d Cojnmeice Uohty 75 can be used to effi- 

financial clearinghouse 2ft0. ^ md flexlb l ? su PP° rt mod f k for mm ^tnbution «"> 

55 the consumer market. For example, suppose that a film and 

Example — Distributed Commerce Utility 75 Can entertainment company such as Disney wants to provide 

Support Electronic Rights Negotiations electronic Distributed Commerce Utility 75 to support dis- 

Distributed Commerce Utility 75 can support electronic tribution of its films to consumers 95. Disney could open a 

rights negotiations. In one example, suppose a professor is Commerce Utility System 90 itself, or it might contract with 

creating a "course pack": a compilation of many different 60 * neutral third party to provide Commerce Utility Systems 

works to be used by students in a particular course that in 90 on its behalf. The purpose of the Commerce Utility 

this example, lasts only one semester. In this example, the Systems 90 in this example is to support secure pay-per- 

professor sends a VDE secure container with a query to the view/pay-per-use, rental, lease and other film distribution 

appropriate rights and permissions clearinghouse 400 and transactions to consumers. 

gets back control sets for the digital properties listed in the 65 The films themselves could be distributed in digitized 

query. Upon reviewing the permissions and prices, the linear form — for example, on Digital Versatile Disk (DVDs) 

professor notes that a chapter from a book carries a price or other high capacity media. Such media would store, in 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

119 120 

addition to the films themselves, one or more secure con- would "know" from the electronic rules and controls deliv- 
tainers including control sets for controlling use of the films. ered to it that the film distributor, studio and the Distributed 
Consumers 95 could play the' films using a media player 104 Commerce Utility 75 are to receive particular percentages of 
(see FIG. 1) having a network 150 connection or other "back the $2.95 usage fee, and that a state government authority 
channel" (e.g., the ability to read from and write to a smart 5 must receive a certain tax payment in the form of a sales tax 
card or the like). or VAT. Because this information is maintained within the 
Media player 104 has a protected processing environment protected processing environment 154 within media player 
154 such as a secure processing unit for use in managing 104, the consumers 95 may never be exposed to the payment 
rights and manipulating the electronic containers. The stor- disaggregation scheme and/or its details. (Typically, con- 
age media might also be played by a personal computer 124 io sumers do not care what the distributor "cut" is as opposed 
equipped with a protected processing environment and a to the studio revenue. The protected processing environment 
network connection. within media player 104 may provide this payment disag- 
Set top box 104 may be controlled by electronic controls gregation locally or through a distributed or centralized 
distributed on the media and/or via the back channel. The financial cleann S ^ mctlon 200 35 Ascribed above.) 
controls require the set top box 104 to record customer usage 15 Mcdia P^yer 104 can report the usage containment infor- 
and payment information for each property the consumer maUon it has collected on a real tmie (onlme) and/or penod^ 
decides to view. For example, a consumer 95 might place a event-driven basis. In one example, media player may report 
media such as an optical DVD disk into media player 104 at end of each moath information it has collected 
and hit the "play" button. The consumer's media player 104 over to Preceding month. It may report collected payment 
might next display (e.g., on television set 102) a message 20 information (including disaggregation data provided by the 
telling the consumer how much it will cost to view that conlro1 «0 to a financial r clearinghouse 200 run by Disney 
particular film (e.g., $2.95), and ask the consumer if she K for example, such information may be reported directly 
wants to proceed. If the consumer answers "yes", media to clearinghouse 200). Financial cleannghouse 200 ensures, 
player 104 will play the film on the consumer's television set ^ consumer's account is appropriately debited and that 
102^-rccording usage and payment information for report- 25 *f vanou ? P avees (e.g. Disney, the film s distributor and 
ing to Commerce Utility Systems 90. The protected pro- othcrs m * hc valuc cha 5> receive appropnate splits of the 
cessing environment 154 within media player 104 may, consumer s payment. The financial cleannghouse 200 may 
under secure control of one or more associated electronic aIso P rovide consumer credit checks and authorizations 
control sets delivered to it-monitor and collect information helping to ensure that the consumer doesn't run up a big bill 
mat can ultimately be used to ensure the consumer pays for 30 she can t pay. . t 
watching the film and to provide a secure usage audit. The Media P laver 104 mav re P ort usage information it has 
secure usage audit may be used, for example, to allow collected to a usage cleannghouse 300 operated by an 
Disney, the film's actors and director, and others involved in independent auditor (the film's producer and actors may 
making the film to securely verify how many consumers "isist that an independent third party auditor— not Disney- 
watched the film (and also potentially to provide demo- 35 Performs this function) or, for example, may report such 
graphic information for targeting advertising or the like). For information to Disney and/or clearmgbouse 200-certain of 
example, the media player 104's protected processing envi- such information may be concealed from Disney if required 
ronment may securely collect and record, for example, the b V ralcs and controls t0 cn f urc ° J thcr ^ alu ? cham 
following information within meter, billing and/or budget an d Disney ma y not be able to identify, alter, and/or remove 
audit trails associated with particular controls: 40 such information due, for example, to VDE protection 
P fi . mechanisms. The usage clearinghouse 300 may analyze the 
name o m usage data and issue reports indicating total number of 
digital identifier of film views> market share , etc Usage clearinghouse 300 may also 
time and date property played further analyze the information to provide demographic 
number of times property played 45 and/or other marketing research information. This type of 
who played the property. information can be very useful to advertisers and marketers. 
In one example, consumers 95 would have to possess a Disney may also operate a rights and permissions clear- 
digital certificate 122 issued by an appropriate certifying inghouse 400. Even though permissions are distributed on 
authority that attests to certain facts. Such a digital certificate the optical media in this example, the rights and permissions 
122 can be used to provide a context for the electronic 50 clearinghouse can provide supplemental control sets for 
control set(s) delivered to media player 104. Such a certifi- various reasons. For example, the control sets distributed on 
cate might need to be present before the consumer would be the media may expire on a certain date. Rights and perm is- 
permitted to play the film and/or to prevent the film from sions clearinghouse 400 may issue new control sets in lieu 
playing under certain conditions and/or to effect the controls of the expired ones. Rights and permissions clearinghouse 
that apply when the film is played. 55 400 may also issue permissions to provide "sales" and/or to 
For example, the parents could obtain a digital certificate otherwise change prices (e.g., to reduce the price of an older 
122 indicating that the household has children. This "child film). Rights and permissions clearinghouse 400 can also 
present" digital certificate 122 could be used to prevent issue special permissions (e.g., an extracting or anthologiz- 
media player 104 from playing any films other than those ing right that multi-media developers or advertisers might be 
that have "G", "PG" ratings. Such certificates 122 could be 60 able to request, and/or, for example, redistribution rights to 
issued by the same organization that provides the other certain frames such as an approved image of Mickey Mouse 
administrative and support services in connection with this for printing purposes). Disney could "pre-approve" some of 
example if desired. these special permissions so that the rights and permissions 
The electronic controls provided with a particular film on clearinghouse could automatically provide them on demand, 
a media such as an optical disk may also specify a particular 65 Digital certificates 122 might be used to interact with the 
value chain disaggregation to be applied in connection with permissions — thereby assuring that the user receiving the 
payment anangements. For example, the media player 104 control set is entitled to take advantage of it. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

121 122 

Example: Distributed Commerce Utility 75 Can confidentiality. In yet another example, a rightsholder, rights 

Support The Collection, Analysis, and Repurposing and permissions clearinghouse 400 or usage clearinghouse 

Of Usage Information 300 or other party, may have used the same negotiation 

i j . l i mechanisms to negotiate, through the use of VDE rules and 

Prior to the inventions disclosed in the Ginter et al. s COD trols sets alternative levels of privacy and confidentiality, 
specification, the electronic community lacked general As illustrated in FIGS. 11 and 33-39, the usage clearing- 
purpose, reusable, distributed, peer-to-peer technologies that house fonctions mat may remove identifying information, 
could, among other things, efficiently and effectively mom- aggregate data, analyze data, generate reports, and/or trans- 
tor and measure usage on the local computer or protected m j t mose re ports to rightsbolders and other interested parties 
processing environment. Collecting, analyzing, and report- may exist in one or more logical and physical locations. For 
ing usage data provides significant value to rightsholders example, a distributed usage clearinghouse 300 executing on 
and to other distribution chain participants, to infirastructure the local computer (or other information appliance) may 
Distributed Commerce Utility 75, to customers, and to other perform any or all of these usage clearinghouse functions, 
interested parties. Understanding what has happened can One or more usage clearinghouses may exist within a given 
often be a fundamental determinant or contributor to what company or within a given collection of companies corn- 
might or should happen. In addition, usage information can 15 prising a vertical industry, healthcare, for example, trading 
be repurposed to support a wide range of other commercial group, or family of companies ("keiretsu"). Similarly these 
activities, including advertising and merchandising models. usage clearinghouse functions may be performed by usage 

_ • . e * clearinghouses within each country or other jurisdiction or 

Suppose one or more customers in each of several com- , ~ F7 , « , _ u- ■ ui„ 
, y V defined by any other class and/or geographic variable, 
pames have information apphan^OO, jn thjsone example 2Q ; iea ^ ghouse 300 may also provide raw data, 
such as personalcomputers, with VDE protected processing ^ d * nd/or customized rcp0 £ to rightsholder 
environments (PPEs) 154 as described I m Ginter et af ^ ^ participanls> ^d/of^r m ^Uted par- 
Suppose further that over^meume period, perhaps a month &es Thege ^ .^de: fof e , creators> 
in this example, that VDE has been keeping track of detailed Tepackageis, repurposers, advertising agencies 
usage information and storing this information m the a and ^ trade JssociationSj malket ^^1, and 
encrypted database on each hard drive on each computer that companies, circulation audit and audience mea- 
isalogicalextensionaiidimdermecontrolofeachconaimer smenlcnt bureaus> mc ^ mark eting, and advertising 
PPE. These consumers have each been purchasing different mnctions of ^p^cs with an interest in one or more 
combinations of infonnanon and entertainment from gener- mafk and enunent 

ally different sources. Each instance of VDE keeps track of 30 clearinghouse 300 may also 

usage ^formation according to the controls associated with ^^on to advertiser mdicating exposure to par- 

the content and/or service being purchased or otherwise ^ a<js ^ of ads by custMnMS 

use within a company and/or group of companies, markets, 

On or shortly after the first of each month, and/or any and/Qr othef analysis groU p mg3 aod categories, 

other required (or, if supported, allowed) reporting intervals, 35 

each instance of VDE communicates the usage records to the Example: Secure Directory Services Protect 

usage clearinghouse 300 according to the controls associated Confidentiality and Privacy 

with each of the digital properties they have used during the Personal and business confidentiality and privacy are 

previous month. In turn, the usage clearinghouse 300 pro- often essential aspects of the modern experience. Individuals 

vides reports to each of the rightsholders regarding any use w may not want others to know with whom they are associ- 

of a property during the previous month or other reporting ating. In many aspects of business, firms may not wish to 

interval (e.g., daily, weekly, quarterly, annually, etc.). reveal their interest in communicating or interacting or 

In one example these reports contain information identi- conducting business with other parties. In today's Internet, 

fying both the individual customer and the company that for example, it is possible for those with certain kinds of 

employees them. In another example, the reports contain 45 access to determine the nature of queries between a given 

detailed usage information, but the identities of the indi- person and a directory service. Such information may pro- 

vidual customers has been removed by the usage clearing- vide important clues regarding existing or pending business 

house 300. Alternatively, both the individual and corporate arrangements that have not yet been publicly announced, a 

identities may be removed. Instead, the usage information merger or acquisition, for instance, 

may be aggregated by any one or more certain classes, such 50 VDE secure containers provide one basis for secure 

as by industry, geography, and/or by country, and/or any directory services 600 in which confidentiality and privacy 

other useful classes. are preserved. In one example, the Corporation Counsel in 

In another useful example, a particular company or indi- a Fortune 100 company wishes to obtain the email address 

vidual customer may have not permitted VDE (subject, of of the investment banker in the firm handling a proposed 

course, to this right being available through in place rules 55 acquisition — but without revealing her interest to anyone 

and controls) to communicate identity information to the else. The attorney sends a query in a VDE secure container 

usage clearinghouse 300 from their information appliances to the secure directory service 600 with the name and 

in the first place. The user may have established VDE company of the person she wishes to contact. The secure 

controls prohibiting disclosure of such identifying informa- directory service then sends the response in another VDE 

tion. In another example, the user may have used the 60 secure container back to the attorney. Both the query and the 

negotiation mechanisms disclosed in the Ginter et al. appli- response can make use of certificates issued by the certifying 

cation to negotiate additional levels of privacy and confi- authority 500 authenticating both the attorney and the secure 

dentiality other than those required in the various control directory service 600. Payment for the query can be handled 

sets associated with the information being purchased or by the financial clearinghouse 200 who deposits payment in 

otherwise used by each customer, that is, the electronic 65 the provider account of the secure directory service 600 

negotiation process generates a modified or new rules and while debiting the account of the company that employs the 

controls set reflecting the additional levels of privacy and attorney. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

123 124 

Because these transactions are conducted using VDE and 1070 may also have negotiated agreements with a large 
VDE secure containers, those observing the communica- commercial usage clearinghouse 300 and with a major 
tions learn no more than the fact that these parties are financial clearinghouse 200. These centralized clearing- 
communicating. Security analysts have developed tech- houses could be located anywhere, and may communicate 
niques for "traffic analysis", in which the frequency of 5 with company 1070 via the Internet and the corporate 
communications among two or more parties is observed and h^iim. Neither of these clearinghouses 200, 300 are 
changes in the frequency of communications are correlated f^ted ™ th *e company 1070 other than through this 
with other information to make inferences regarding the business arrangement. Each of the distributed clearmg- 
content and/or purpose of these communications. houses Wlthm the company 1070 operates under the simul- 

IT . xrr .„ , ™ c . . . , . in taneous authority of both the company and the external 

a f ?!^? E<m . secure contaxners., l f P 0 ^ ° 10 clearinghouses with which the company has a business 

defeat traffic analysis, however at some added expense. In 

this one example, the company could send a VDE container arrangem n . 

to the secure directory service 600 with an empty or "null" „ th^ one example, a product markeUng manager 1074JP 

query that would generate in the average amount of elapsed (1) employed by this ^company 1070 in Japan acquires a 

time a return mekge in a VDE container with a null « market research report 166 from an Amencan distributor 

response. The instance of VDE on the attorney's computer 1076. The report and associated controls are sent from the 

would generate a payment transaction destined for the American distributor 1076 to this employee 1074JP(1) in , a 

financial clearinghouse, but would aggregate these payment ~ nUm " ™ 6 inStaD< f f VDE °" ^ 

records with others to eliminate conations between the manager's appliance 1074JP(1) keeps track of usage and the 

pattern of queries and payments. While inefficient from a 20 Payment due the ^formation provider ftnodicaUy, these 

commerce standpoint, this method of using VDE and VDE audlt ^J^\)^9\^ transmitted in VDE secure 

secure container to defeat traffic analysis attacks can in contamers 1052* 1052c to distributed usage cleannghouse 

principle be used among plural parties wishing to hide the C ' eann ^ e ) 300B and to the internal 

pattern of communications among them while tlking advan- cteannghouse 200B-botb of which are located m 

iages of the secure, trusted, efficient distributed transaction * Japan on ^ company's internal, private corporate network 

capabilities disclosed in the Ginter et at application. &L ntranet) V" 2 From tune to tune and in accordance with 

r r VDE controls associated with the content purchased, the 

Example: Cooperation Among Clearinghouses private usage clearinghouse 30GB removes, in this example, 

Internal and External To An Organization individual identifying information in accordance with VDE 

The various Commerce Utility Systems 90 may be dis- 30 rules and controls managing protected processing enviroo- 

tributed to varying degrees and in varying combinations as ment processes and sends in a VDE secure container the 

illustrated in FIGS. 2A-2E and 3A-3C). In one example audit records 302(3) to the external, commercial usage 

shown in FIG. 65, an American Fortune 100 company 1070 clearinghouse 300. All of the company's internal, distributed 

with operations in several countries (e.g., the United States, usage clearinghouses 3 00 A, 300B, 3C0C send periodic com- 

Japan and Europe) and within many of those, in multiple 35 munications in VDE secure containers 152 to the commer- 

locations within each country, has found it desirable to cial usage clearinghouse 300. In turn, the master usage 

internationally distribute VDE Distributed Commerce Util- clearinghouse 300 creates and sells, licenses, and/or other- 

ity 75. To increase the efficiency of purchasing external wise distributes reports to rigbtsholders and other parties 

information, and to maximize its leverage with information (e.g., third parties having a commercial interest in obtaining 

providers, the company 1070 has chosen to negotiate with 40 the information) in which the identities of individuals are 

several providers, agreements that treat all purchases as removed, and which in many circumstances company 

having been made from within the US and being in US names, in accordance with VDE rules and control, have also 

dollar currency. In this example, the company 1070 main- been removed. 

tains its own global Intranet 1072. Intranet 1072 connects From time to time and in accordance with VDE controls 

company headquarters 1074HQ (shown here as being 45 188a associated with the content 166 purchased, copies of 

located within the United States) with company US the complete usage records (with employee identification 

employee electronic appliances 1074US(1), . . . , 1074US information) are also sent to the company's master usage 

(N), company Japanese employee electronic appliances clearinghouse 300HQ (which may be located at corporate 

1074JP(1), . . . , 1074JP(N), and company European headquarters), as are audit records from all the company's 

employee electronic appliances 1074EU(1), . . . 1074EU(N). 50 distributed usage clearinghouses 300 A, 300B, 300C. These 

Intranet 1072 also permits each of these employees 1074 to are then aggregated and combined for further analysis, 

communicate with one another. VDE-based transactions reporting, and auditing. 

between the company 1070 and its information suppliers are The internal, distributed financial clearinghouses 200 A, 

also routed through one or another of the company's US 2 COB, 200C also receive audit records 302 in VDE secure 

gateways to the Internet. 55 containers 152 in accordance with VDE controls sets for the 

To provide efficient administrative and support services, purchased information from each of the VDE protected 

the company 1070 has deployed in each country at least one processing environments 1074 reporting to them. Each 

distributed financial clearinghouse 200 and at least one internal financial clearinghouse 200A, 200B, 200C aggre- 

distributed usage clearinghouse 300. For example, company gates the payments and from time to time sends a VDE 

1070 may operate a financial clearinghouse 200A and a 60 secure container 152 with audit records 302 indicating the 

usage clearinghouse 3C0A in the United States, a financial aggregate sums to be transferred to the information provid- 

clearinghouse 200B and a usage clearinghouse 300B in ers as a result of transactions. The company may also 

Japan, and a financial clearinghouse 200C and usage clear- provide update information regarding the accounts from 

inghouse 300C in western Europe. In countries with mul- which the company's funds are to be transferred and/or the 

tiple sites and within the United States, several of these 65 provider accounts that are to receive such funds. In turn, the 

distributed clearinghouses may exist In addition to negoti- external master financial clearinghouse 200 completes these 

ating agreements with information providers, the company payment transactions and sends audit records back to the 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

125 126 

company 1070 and to the information providers confirming FIG. 66 also shows another organization B that may have 
the payment transactions. In the preferred embodiment, its own Intranet 5100(B), user electronic appliances 100(B) 
these activities occur securely under the control of distrib- (1), . . . , 100(BXN)» ^ private transaction authority 
uted VDE nodes, and are automated at least in part through 700(B). In addition, FIG. 66 shows a public data network 
the use of VDE containers and chain of handling and control 5 5104 (such as the Internet for example) and a public trans- 
managing multi-nodal, multi-party, sequence of processes. action authority 700(C). FIG. 66 shows that in this example, 
As an alternative example, the calculation for the amount of organizations A and B communicate with the outside world 
payment and the completion of the payment transactions is through trusted transaction authority 700(A), 700(B) (which 
performed at the external master financial clearinghouse 200 may, if desired, also include "gateways", "firewalls" and 
from usage information received from the usage clearing- other associated secure communications components). In 
house 300 (of course, if usage clearinghouse 300 and other examples, trusted transaction authority 700(A), 700(B) 
financial clearinghouse 200 are the same party, the financial need not be the actual "gateway" and "firewall" to/from 
clearinghouse already has received such information). The Internet 5104, but could instead operate wholly internally to 
external and internal financial might then, in this example, the respective organizations A, B while potentially generat- 
compare payment information. ing electronic containers 302 for transmission over Internet 

This example does not depend on the extent to which 15 5104. 

administrative and support services are distributed. In a In this example, organization A user protected processing 

related example, the usage and financial clearinghouse func- environments 100(A)(1), . . . , 100(A)(N) each have an 

tions could have been distributed to each VDE-aware pro- instance of a virtual distribution environment protected 

tected processing environment 1074 as illustrated in FIGS. processing environment, and can communicate with one 

2A-2E and 3A-3C. In this example, each protected pro- 20 another over Intranet 5100(A) via secure electronic contain- 

cessing environment 1074 could report directly to the master ers 302. Similarly, organization A user electronic appliances 

external clearinghouses 200, 300, to distributed external 100(B)(1), . . . , 100(B)(N) each have an instance of a virtual 

clearinghouses, and/or to internal clearinghouse functions distribution environment protected processing environment^ 

organized differently than described just above, for example, and can communicate with one another over Intranet 5100 

by continent (North America, South and Central America, 25 (B) via secure electronic contoiners 302. In addition, orga- 

Australia, Europe, etc.) rather than by country and company n ^ on A and orgamzauon B can communicate with one 

a ™« i . ' ' J v > another over Internet 5 104 via secure electronic containers 
1070 location. 

to™ ft ; rther exam P le ; ^V**^ h ^ uar ? ers Organization A's private trusted transaction authority 

J^'LS^ 11 ^ f" 18 " 30 700(A) may be used for facilitating organization A's internal 

houses 200HQ, 300HQ provide a centralized clearinghouse 30 com v munications md processes. Private trusted transaction 

system through which all usage and financial information aut h 0 rity 700(A) might be used, for example, to carefully 

must flow. In this particular, more centralized example, all track items sent from one user to another within organization 

user appliances 1074 report their usage and financial trans- a. The public transaction authority 700(C), meanwhile, can 

actions to headquarters-based clearinghouses 200HQ, be used to coordinate between organization A and organi- 

300HQ in secure containers 152 over Intranet 1072. Com- 35 zation B without, for example, revealing confidential infor- 

pany headquarters financial clearinghouse 200HQ may mation of either organization to the other organization, 

interface directly into VDE compliant general purpose pay- Below are more detailed examples of how the FIG. 66 

ment systems that directly support the use of VDE chain of arrangement might be advantageously used to conduct busi- 

handling and control for ensuring the enforcement of ness transactions. 

automated, secure, financial transaction fulfillment in accor- 40 Suppose a confidential memo needs to be approved by 

dance with rules and controls governing payment related users 100(AX1)> 100(AX3) and 100(AX5) (who can each 

variables such as payment amounts, parties, locations, tim- revise the memo) before being distributed to each of users 

ing and/or other conditions. These headquarters-based clear- 100(AX2), 100(AX7)-100(A)(10) and 100(AX12) (none of 

inghouses 200HQ, 300HQ, (which may function as a single, whom can change the memo), with copies to users 100(A) 

integrated Commerce Utility System) in turn, may commu- « (*)> 1^A)(3) and 100(AX5) (who also can't change the 

nicate appropriate aggregated and/or other audit trail and/or mcmo after all three of them have signed off on it) and to no 

paymentUrmationto the individual clearinghouses 200A, oae f*« ?™ e transaction authority 700(A) can maintain 

200B, 200C, 300A, 300B, 300C within each country. While [^^^J^^ requirements. Transaction 

less efficient than the less hierarchical example described * uu^ ; . 

. ... . . . , e n send the memo (in secure containers) in round robin 

above th* arrangement may appeid to Urge corporations ^ ^ 10 fl(AXl), 100(AX3) and 

who wish to exert centralized control over usage and finan- 100(A¥5 > ) for aonroval 

cial information by acting as the central administrator for the _ r »u „ ~ \«« ^ *k- ™- n™ 

r .'i • a. j * * *i_ 4 -j If any one of these users changes the memo, then trans- 

provision of credit and/or electromc^currency to d^uted can circulate the revised memo 

mternal financial c eann^ouses and by efficiently manag- {q ^ ^ ^ fo 72 d( £ tional comments and revisions, 

ing ln-house collection of transaction related information. 33 inn/Avn mnavi\ jnm/A\ 

& Once all three of users 100(A)(1), 100(A)(3) and 100(A) 

Example: Transaction Authorities Can Be Used (5) approve the memo, transaction authority 700(A) 

Within and Between Organizations ma y be empowered to place each of their digital and/or 

FIG. 66 shows an example use of transaction authority handwritten signatures or initials on the memo, place it 

700 for inter and intra organizational communications. FIG. 60 into one or more secure containers with a control set 

66 shows an organization A (left-hand side of the drawing) specifying it is read only and can only be read by users 

as having an "Intranet" (a private data network within a 100(A)(1)-1W>(A)(3), 100(AX5), 100(AX7>-100(A) 

particular organization) 5100(A). Intranet 5100(A) may be a (10) and 100(AX12). 

local and/or wide area network for example. User electronic Transaction authority 700(A) may then send a copy of the 

appliances 100(A)(1), . . ■ , 100(A)(N) (for example, 65 memo in a container to each of these users, or could 

employees of organization A) may communicate with one require the same container to circulate from one to 

another over Intranet 5100(A). another. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

127 128 

The transaction authority 700 may require the electronic tifying the design specification to later evidence that 

controls to maintain a secure audit trail indicating organization Adelivered it on a particular date and time 

where the container has been, who has opened it, who in accordance with a contract, 

has accessed the memo it contains, and when. Trans- Public transaction authority 700(C) could then forward 

action authority 700(A) might thus increase personal 5 the design specification (still within a secure container) 

accountability by evidencing whether a particular per- over Internet 5104 to organization B's private tiansac- 

son had seen a particular document, when, and for how t j on authority 700(B). 

lon 8- . . Organization B's private transaction authority 700(B) 
Organization A's Intranet 5104 might also be used to ^ automaticaU y ^ a ^py of foe specifi . 
exchange and/or distribute highly confidential design speci- 10 catioQ OVM organizalion B > s j^e, S 10 0(B) to the 
flcations. Transaction authority 700(A) can for example, appropriate users 100(BX1), 100(B),(N) within oiga- 
maintain, in digital form, a detailed record of who has nfa^Uoo B. No one outside of organization B would 
"signed off" on the design specifications-thus ensuring med to who received a of lhe specification, 
personal accountability and providing a high degree of On the other hand, organization A's transaction autbor- 
efficiency. is ity 700(A) could, if desired, include electronic controls 
As mentioned above, private transaction authorities 700 restricting access to only certain engineers within orga- 
(A), 700(B) can also provide a "firewall" function to protect niza , ion ^ xcalc controls would be carried 
confidential information from escaping to outside of the j Mo organizatio n B and securely enforced by 
respective organizations A, B. Suppose for example that electronic appliances 100(B)(1), .... lCOfBYN)- 
organization A is an integrated circuit design house and 20 organization B's transaction authority 700(B) could man- 
organization B is an integrated circuit foundry. Organization the chi ^ manuf a Ct uring process, ensuring that all steps 
A designs and specifies the circuit layout of a chip, produc- and eoumaat required to manufacture chips in accordance 
mg a "tape out" that it sends to organization B. Organization with OIganizati on A's design specification are followed. 
B manufactures an integrated circuit based on the tape out , 

and delivers chips to organization A. 25 Example — Transaction Authority Can Facilitate 

Transaction authority 700 can be used to facilitate the International Commerce' 
above business transaction while protecting confidentiality 

within each of organizations A and B. For example: FIG. 67 shows an example of bow transaction authority 

organization A's private transaction authority 700(A) can 7Ca . can be , to conduct ^rnational 00 ^ merce " In mis 

supervise an overall design and specification develop- 3" Particular example, a transaction authority 700 coordinates 

ment effort within organization A All communications * ™ m P l " m«ltm»tional transaction between companies 

take place in secure containers 302 over organization 1106A ; U , 06B ™* ^ led 10 then- own respective 

A'sIntranet5100(A)tomaintainconfidentiality. Trans- «> untncs (•*• ' h6 u Umted Stou * Au *' raba Europe), 

action authority 700(A) can maintain a secure archive ^F^. "°* A has lts °^ 4 ? k U08A 

of historical design documents, works in progress, and 35 U10A. Simtiar y company UNBbaris own bank 1108B 

specification versions as the design process progresses. ^l^f 8 , 1U0B ' J"* ? mpany U06C has ltS own bank 

_ . . . , . °" x 1108C and lawyers 1110C. 

Organization A 's private transacbon authority 7(M>(A) can ' . . . 

manage the foial design specification development- "ansaction authority 700 may assist in forming 

ensuring that all conditio^ required to finalize the agreements between the international parties by for 

design specifications are followed. 40 exam P le P 18 ? m S off ^ K and = ounteroffer ! back and * orth m 

secure containers and using the contract forming techniques 

Once the design specification has been finalized, transac- described a5ove t0 establish some or all of the terms and 

tion authority 700(A) can circulate it within secure ide nOD . repudiation . 0 nce a contract is formed, trans- 

containers 152 to those kidividuals within organization action authority 700 may maintain a master set of rules and 

A that need to "sign oflT on it Their respective apph- 4S amtrob specifying all me conditions that must be satisfied 

anccs l^AXl), . . - 100(AXk) can affix and/or embed to thc transaction— and may thus provide conse- 

digital signatures, handwritten signatures, seals and/or qucnccs for different events. Alternatively, once the contract 

fingerprintsasdescribedabovetoiDdicatesr^cmcation k cxccutcdf the transaction authority role may be virtual, 

approval. particularly in simpler models, that is the value chain rules 

Upon being satisfied that the specification has been so and controls can be carried by VDE containers whose rules 

"signed off* by the appropriate people, transaction a nd controls may, as a whole, specify all processes and 

authority 708(A) can send it over Internet 1104 within conditions that must fulfilled, including their sequence of 

a secure container 302 to public transaction authority operation. Rules and controls provided by a transaction 

7C0(Q. Public transaction authority 700(C) may be a authority 700 may take international law into account — with 

commercial transaction authority retained by organiza- 55 differing rules applying to different countries. The rules 

tions A and B to act as a liaison between them. could take into account various import and export require- 

Organization A's private transaction authority 700(A) m ents and restrictions, international tax treaties between 

can filter (or protect) all information it sends to public nations, contain upfront and/or ongoing customs related 

transaction authority 700(C) to ensure that organization routing and filing requirements, identify reputable currency 

B can access only that information intended for it. For $q transaction authorities, assist in filing contracts or certain 

example, private transaction authority 700(A) might contract terms with relevant national and international 

provide additional electronic controls within the con- authorities, manage any shipping or other transportation 

tainer to prevent organization B from seeing any requirements, assist in establishing conclusive translation 

detailed audit information showing where the specifi- services for contract terms (particularly standard terms and 

cation has been within organization A. 65 conditions), manage differences in international certifying 

The public transaction authority 700(C) might act as an authority requirements and formats, impose societal regula- 

independent trusted third party, notarizing and/or cer- tions required by applicable governing bodies, and collect 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

129 130 

applicable governing body taxes, such as taxes for both ing environment that completes the negotiation (or receives 

national and regional governing entities, etc. Transaction negotiation completion instructions digitally signed by both 

authority 700 may communicate between the various inter- parties through the use of VDE techniques) to a distributed 

national parties using secure electronic containers, and may transaction authority, which in turn, notifies other parties, 

securely validate and authentic various event notifications 5 including other participating transaction authorities, that 

provided by the international parties. price has been agreed upon. Based on VDE controls for 

subtransactions, VDE may securely notify a party or parties 

Example: Distributed Transaction Authorities that certain other subtransactions are now to be completed. 

^ . , . . . j .u .ir In this example, the title search company may now perform 

Complex business interactions under the control of a . . . _j . . 

*. t , . , . . , . , u . ,io their task; an insurance company may now begin negotia- 

transaction authority 700 may also be distributed within and £ for £ ' > YDfiTegodation 

among, for example, orgarnzatons ancVor junctions. Sup- mechanisms ^ y attorney ^ ? he counsel's office for the 

pose a complex mtemational real estate transaction requires negotiations with his counterpart in the 

participation of several functions within the purchasing and * „ J *r\. - . e _ o , . /V . ... 

r „. r . c . . . j ° sellers company; both in-bouse attorneys may interact with 

selling companies, several financial institutions, insurance tbeii outside counsel using VDE and VDE secure containers 

companies, and law firms, and perhaps government agencies negotiating the various documents whose 

m a few countnes. Suppose further that each of the organi- exBCUlion g ^ parts * r m6 ovcrill transaction . 

zational and mdividual parties to the transaction has com- v r 

puters that are VDE-aware, and that within each organiza- 1° this example, each of the parties may have one or more 

tion or agency there is at least one distributed transaction di 8 ital certificates issued by the certifying authority 500 to 

authority that performs services for this real estate transac- 20 authenticate each of the parties to this transaction and its 

tion under an authority granted by a master transaction subtransactions. The financial clearinghouse 200 provides a 

authority 700 payment vehicle for various value added services, in one 

_ ... , . . 1 ♦* example, those provided by the transaction authority 700. 

In this one example, each of the parties to the real estate * K . ' .. . ... / m . 

. f ' , r , , The usage clearinghouse 300 collects audit records sent 

transaction has contributed commerce rules and parameters & a * • * . 

. . . ... , . - r , Tmr 25 from time to time in VDE secure containers from each or the 

represennngtheutem^relat.onsh^mthefomofVDE VDE protected processing environments and 

rules and consols that define each parties role in the overaU ^£ * ^ au * it of , hese 

transaction. For instance, the insurance company must \ ^ r . ^ . . . . 

" " ~ ' , ^ *u * *u u tions. The secure directory services 600 helps participants 

insure the property at a value and cost that the purchaser other . s ^*fc addresses w Je maintaining 

fi D ds acceptable and that is also approved by the mortgage 30 ^^j, ^ rf 

lenders). Also, suppose that these transaction VDE rules J . ,. „ 

and controls have already been mutually agreed upon using As each of the subtransactions is completed, a distributed 

negotiation mechanisms described in the Ginter et al. transaction authority within the organization within which 

application, and that the negotiated rules and controls the subtransaction is completed notifies the master authonty 

together with the history of negotiating these rules and „ transaction 700 of completion of that subtask. 

controls have all been stored at the master transaction According to the previously agreed upon VDE rules and 

authority for this real estate transaction. The most senior 501156 or aU of P ersons participating m the 

transaction authority may be a master transaction authority transaction may also be notified by audit records and/or 

700 or might be any mutually agreed upon distributed messages that are securely sent from, and authenticated by, 

transaction authority. In this one example we assume the » at lcast onc participating VDE protected processing 

former. In short, in short, all parties have agreed to the rules environment, including, for example, PPEs at nodes for 

and controls that govern the transaction. The negotiation individuals, distributed Commerce Utility Systems, a dis- 

process may have been simplified because the transaction tributed transaction authonty, and/or the master authonty for 

authority 700 may have distributed a distributed template this transaction. 

application for international real estate sales, the template 4S When all the component elements of the overall transac- 

being based on the transaction authority 700's past experi- tion have completed, a transaction authority, in this example, 

ence or that were created by the transaction authority 700 the master transaction authority for this real estate sale, 

especially for this transaction as a value added service to its notifies each of the participants and each of the participating 

important customers. distributed transaction authorities, that the preconditions 

Each of the parties to the transaction is, according to the 5 o have a11 been met and settto the overaU t™ 05 ** 00 - 
VDE control sets that define this atomic transaction, respon- Optionally, the transaction authonty may give seller and 
sible for seeing that certain pieces of the transaction are purchase a last opportunity to proceed to completion or to 
completed prior to the closing and consummation of the hold U P * c transaction. This one example shows that 
overall transaction. In some cases, plural parties are jointly Commerce Utility Systems 90, including transaction author- 
responsible for completing part of the over all transaction. 55 ^ 700 ' m ^ ** distnbutcd to intermediate VDE protected 
For example, the buyer and seller must have agreed on a processing environments that support one or more Corn- 
purchase price. In this example, they contribute their busi- merce Utilit y Systems 90. 

nisms to arrive at an agreement that represents a fair balance ^ Amortizing infrastructure and other resources across 

of interests. If the electronic negotiation is unsuccessful, the many users, building critical mass more rapidly than 

parties may directly negotiate, or VDE secure containers competitors, supporting specialization to tailor and deliver 

with audit records indicating failure are sent to the transac- the most appealing products and services to customers, 

tion authority who, in turn, notifies each of the other parties maximizing negotiating leverage power for purchasing, and 

authorized to participate in the overall transaction. 65 building the most comprehensive infrastructure to serve as 

If the buying and selling parties do agree, in this one the best "one-stop" resource for a given business activity — 

example, notification is sent by the VDE protected process- these arc all central concepts in building successful, modern 



01/11/2004, EAST Version: 1.4.1 



131 

businesses. VDE and Distributed Commerce Utility provide 
a foundation for creating highly competitive and successful 
cyberspace businesses that demonstrate these attributes. 
Many of these businesses will reflect the character of the 
Internet and the World Wide Web. Like VDE and Distributed 
Commerce Utility, they will comprise a distributed commu- 
nity that realizes maximum advantage by supporting elec- 
tronic commerce partnerships. They will provide different 
layers of services and complementary products and services, 
and will realize great advantage in coordinating their activi- 
ties to their mutual benefit. 

The Digital Broadcasting Network ("DBN") will be just 
such an innovative commercial enterprise. Comprised of 
many different World Wide Web ("WEB") based sites and 
services, DBN participants will gain greater leverage and 
operating efficiency by sharing resources, experiencing 
maximum buying power, generating marketing and cus- 
tomer information, and supporting a rational administrative 
overlay that ties together their many, frequently 
complementary, activities. Much like the consistent rules 
that enable and underlie both the World Wide Web and the 
design of VDE and Distributed Commerce Utility, and 
layered upon the capabilities of both these architectures, the 
Digital Broadcasting Network employs their inventions to 
support a highly efficient, largely automated and distributed 
community that maximizes business efficiencies. In a similar 
manner, other examples would include other groupings of 
entities that function together as Virtual Enterprises (e.g. 
corporations or other organizations). The distributed nature 
of VDE and the Commerce Utility Systems are particularly 
important in providing an effective infrastructure for these 
modern, potentially large scale, cyberspace business activi- 
ties. 

The Digital Broadcasting Network may function as a 
cooperative of WEB sites and, for example, service 
providers, with a central and perhaps regional and logical 
(e.g. market based) headquarters groups, or it may function 
as a for profit, shareholder corporation in a business model 
reminiscent of television broadcast companies (e.g., NBC), 
or it may function as a cooperative or virtual corporation that 40 
has some mix or combination of mixes of the above 
attributes and employ distributed peer to peer, hierarchical, 
and centralized administrative business relationships and 
activities. In one example, a plurality of corporations may 
join together to provide the advantages of size and coordi- 
nation with individual participants providing some degree of 
specialty expertise and the body of entities coordinating 
together in some fashion in a "higher" level cooperative or 
corporation. 

In one example, the Digital Broadcasting Network may be 
a single corporation that has many licensed franchisees. The 
licensed franchisees may comprise WEB sites that serve 
geographically and/or logically specialized market areas 
and/or serve other WEB sites in a hierarchy and/or peer-to- 
peer context of Distributed Commerce Utility services as 
described above. On behalf of itself and its franchisees, this 
corporation may, for example: 

negotiate optimal rates for exposure time with advertisers 
and their agents, 

obtain the lowest costs for content provided by third 
parties, 

resell market analysis and user profiling information, 
share its revenue with its franchisees which themselves 
may share revenue with DBN and/or other franchisees, 
provide advertising to franchisees in response to franchi- 
see and/or franchisee user base profiles, 



US 6,658,568 Bl 

132 

guarantee a certain number of "eyes'* (exposures and/or 
other interactions) with respect to advertiser materials, 
provide a secure virtual network employing VDE and 
Distributed Commerce Utility capabilities so that the 
overall organization can operate in a secure and highly 
efficient manner, including using common user appli- 
cation tools, interfaces, and administration operations, 
do advertising for the network to the benefit of the 

network and the franchisees, 
purchase and/or otherwise supply content to franchisees 
in response to franchisee needs as demonstrated by 
their requests and/or usage profiles, 
collect and analyze content (including advertising) usage, 
cyberspace purchasing, and other data as allowed under 
its agreement with franchisees, 
allow franchisees to perform many of the network func- 
tions on a local basis — that is acquire and make avail- 
able geographically and/or logically local (consistent 
with there focus) content (and/or other content of 
particular interest to its user base), 
negotiate agreements regarding advertising materials that 
are of commercial value given the franchisees physical 
and/or logical market focus, 
control at least a portion of its WEB "broadcasting" 
space — that is exercise local control over at least some 
portion of the content — with the remainder of the 
control, by agreement, and, for example, enforced by 
rules and controls, being under the control of DBN 
and/or some one or more other network participants, 
and 

perform other administrative, support and/or service func- 
tions on behalf and/or for the network. 
In one example, DBN may employ many of the security 
and administrative capabilities of VDE and many of the 
service functions provided by. the present inventions to 
manage and automate the distributed relationships and 
activities that are central to the DBN business model. For 
example: 

Transaction Authority 700 can provide the overall admin- 
istrative context for managing the network community. 
For example, the transaction authority 700 may manage 
(through the use of VDE rules and controls in the 
preferred embodiment) the routing of content to appro- 
priate franchisees. It may also manage the chains of 
handling and control related to reporting usage infor- 
mation. The transaction authority 700 may obtain and/ 
or derive its electronic control sets from the agreement 
relationships between DBN and its franchisees. Elec- 
tronic negotations may be used to create these agree- 
ment relationships. The transaction authority 700 may 
also receive controls reflecting bilateral or other net- 
worked relationships directly among franchisees and 
other participants. 
Rights and Permissions Clearinghouse 400 can extend 
commercial rights related to content to network fran- 
chisees. It acts as a repository of rights related to 
content that is supplied by network entities to 
customers — including content rights held by network 
entities themselves, and made available to other net- 
work entities. Such content rights may include, for 
example, displaying, vending, redistributing, 
repurposing, and for advertising. It can provide addi- 
tional rights (e.g., redistribution rights or specialized 
repurposing rights) upon request and/or automated pro- 
filing based, for example, upon usage. 



10 



15 



20 



25 



30 



35 



45 



50 



55 



60 



65 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



133 



134 



Usage Clearinghouse 300 can collect usage data in sup- 
port of market analysis, user profiling, and advertising. 
It may also analyze that information and derive reports. 
It may distribute those reports internally to the DBN as 
appropriate, and sell reports and/or other usage based 
information externally based upon commercial oppor- 
tunity. 

Financial Clearinghouse 200 can ensure proper compen- 
sation fulfillment throughout the network. It may col- 
lect payments due to DBN from franchisees for con- 
tent. It may distribute to franchisees payments due 
them as a result of advertising and reselling of usage 
information. It can collect payments from franchisees 
for support of generaly DBN infrastructure and services 
such as, for example, network advertising. It connects 
to general purpose financial clearinghouse infrastruc- 
ture to transmit and receive payment related informa- 
tion. 

The secure directory services 600 may maintain directory 
services based upon unique identity and/or class 
attribute(s). There may be a very large number of 
franchisees globally. Directory services 600 could also 
maintain directory information on customers, including 
unique identifier and profiling information. Secure 
directory services 600 may maintain directory infra- 
structure for content owned, managed and/or available 
to the network. 

A certifying authority 500 may certify the roles of all 
participants in the network. It would issue a certificate 
to each franchisee, for example. It may also issue 
certificates certifying commercial relationships of 
groupings of network entities to facilitate efficient, 
secure relationships with third parties. They may also 
issue certificates to customers to represent certain spe- 
cialized customer rights regarding customer commer- 
cial activities with outside parties (for example, 
discounts, or being a member of the greater "DBN" 
community). 

Portions or all of specific service functions (e.g., as 
described above) may be highly distributed and may operate 
significantly, primarily or even exclusively on franchise and 
service network web servers. 

While the inventions have been described in connection 
with what is presently considered to be the most practical 
and preferred embodiment, it is to be understood that the 
inventions are not to be limited to the disclosed embodiment, 
but on the contrary, are intended to cover various modifi- 
cations and equivalent arrangements included within the 
spirit and scope of the appended claims. 

What is claimed is: 

1. A system for secure, automated transaction processing 
including: 

a user site including a first secure environment including 

a processor and a secure memory, 
the secure memory storing a first secure container includ- 
ing first governed content and having associated a first 
rule set, a second secure container including second 
governed content and having associated a second rule 
set, and a third rule set; 
the first rule set including: 
a first rule specifying a first secure, interoperable trans- 
action processing system including a first plurality of 
interoperable clearinghouses, and 
a second rule allowing the user to select one or more 
clearinghouses from the first plurality, the chosen 
clearinghouses to be used to at least in part process 



10 



20 



25 



30 



40 



45 



50 



55 



60 



65 



a transaction involving at least a portion of the first 
governed content; and 
the second rule set including: 
a third rule specifying a second secure interoperable 
transaction processing system including a second 
plurality of interoperable clearinghouses, and 
a fourth rule allowing the user to select one or more 
clearinghouses from the second plurality, the cho- 
sen clearinghouses to be used to at least in part 
process a transaction involving at least a portion of 
the second governed content; 
the third rule set including: 

one or more rules specifying one or more clear- 
inghouses acceptable to the user, and 
a fifth rule specifying a user requirement restrict- 
ing use of identification information supplied 
by the user; and 
the user site including a processor capable of 
comparing a clearinghouse specified by the* 
third rule set with a clearinghouse specified by 
the first rule set or the second rule set and 
indicating whether a match exists. 

2. A system as in claim 1, in which: 

the fifth rule specifies that a clearinghouse must delete at 
least some identification-related information prior to 
transmitting information relating to the user to a third 
party. 

3. A method of processing digital transactions including: 
delivering a node to a user site; 

initializing the node, the initialization including: 

specifying at least one processing center to be used for 
processing of at least some digital transactions 
involving the node, and 

specifying at least one privacy-related option relating to 
permissible uses of identification information relat- 
ing to the user; 

delivering a secure container containing governed con- 
tent to the user site, the secure container having 
associated a rule set at least in part governing access 
or other use of the governed content; 

the user indicating an intent to access at least a portion 
of the governed content; 

in accordance with the rule set, displaying a message to 
the user, the message including information relating 
to a condition required before access to the governed 
content will be allowed; 

the user indicating assent to the condition; 

access to at least a portion of the governed content 
being allowed to the user, the access governed at 
least in part by the rule set; and 

in accordance with the rule set, a communication being 
securely transmitted from the user site to the pro- 
cessing center, the communication including infor- 
mation relating to the transaction. 

4. A method as in claim 3, in which: 

the step of specifying at least one processing center 
includes presenting a list of potential processing centers 
to the user, and the user choosing one processing center 
from the list. 

5. A method as in claim 3, in which: 

the node is delivered and installed in a manner which is 
at least in part secure. 

6. A method as in claim 3, in which: 

the step of initializing the node includes specifying a 

payment method; and 
the communication information includes information 

relating to a payment made using the specified payment 

method. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,; 

135 

7. A method as in claim 3, in which: 

the communication information includes usage 
information, which usage information is securely trans- 
mitted from the processing center to a third party site. 

8. A method as in claim 3, in which: 5 
the step of the user assenting agreeing to a condition 

includes the user agreeing to a specified price. 

9. A method of processing a digital transaction including: 
delivering an electronic apparatus to a user, the electronic 1Q 

apparatus including software from a first entity; 
at the user site, initializing the electronic apparatus, the 

initialization including 
registering the software with the first entity and selecting 

a payment option, wherein the registration includes is 

specifying a privacy option relating to permissible use 
of identification information, and 

transmitting registration information from the user to 
the first entity; 

delivering a first secure container to the user, the first 20 
secure container including first governed content and 
having associated a first rule set at least in part 
governing access to or other use of at least a portion 
of the first governed content; 

under at least partial control of the first rule set, the user 25 
using the electronic apparatus to gain access to at 
least a portion of the first governed content; 

under at least partial control of the first rule set, creating 
a second secure container including information 
relating to the user's access to the first governed 30 
content, the second secure container having associ- 
ated a second rule set at least in part governing 
access to or other use of the second secure container 
governed content and containing information relat- 
ing to a payment made by the user in return for 35 
access to the first governed content, the payment 
being specified at least in part by the payment option 
selected in the initializing step; 

transmitting the second secure container to a second 
entity specified at least in part by the second rule set; 40 

at the second entity, extracting information from the 
second secure container and performing an operation 
on at least a portion of the extracted information; and 

directly or indirectly transmitting information relating 
to the user's use of the first governed content from 45 
the second entity to the first entity. 

10. A method of processing digital transactions including: 
a first rightsholder transmitting first content to an admin- 
istrator; 

the administrator storing the first content in a first secure 50 
container and associating a first rule set with the first 
secure container, the first rule set at least in Part 
governing access to or other use of the first content; 

the administrator communicating the first secure con- 
tainer to a user; 55 

at the user's site, the user indicating a desire to access at 
least a portion of the first content; 

in accordance with the first rule set, the user choosing a 
first clearinghouse; 60 

the user obtaining access to at least a portion of the first 
content, the access being at least in part governed by 
the first rule set; 

in accordance with the first rule set, payment information 
and usage information relating to the user's access 65 
being stored in a second secure container having asso- 
ciated a second rule set at least in Dart governing access 



)SB1 

136 

to or other use of at least certain contents of the second 
secure container, wherein the second rule set includes 
a rule generated by the user, at least in part specifying 
a privacy policy regarding use of identification infor- 
mation relating to the user, 
the second secure container being communicated to the 
administrator; 

the administrator accessing the contents of the second 
secure container, the access being governed, at least in 
part, by the second rule set; 

the administrator communicating at least some of the 
second secure container payment information to the 
first clearinghouse, wherein the communication of 
information from the adrninistrator to the first clear- 
inghouse is governed, at least in part, by the require- 
ments of the user rule; 

the administrator communicating at least some of the - 
second secure container usage information to the first 
clearinghouse; and 

the first clearinghouse communicating Payment informa- 
tion and usage information relating to the user's first 
content access to the rightsholder. 

11. A method of processing digital transactions including: 

a first rightsholder transmitting first content to an admin- 
istrator; 

the administrator storing the first content in a first secure 
container and associating a first rule set with the first 
secure container, the first rule set at least in part 
governing access to or other use of the first content; 

the administrator communicating the first secure con- 
tainer to a user; 

at the user's site, the user indicating a desire to access at 
least a portion of the first content; 

in accordance with the first rule set, the user choosing a 
first clearinghouse; 

the user obtaining access to at least a portion of the first 
content, the access being at least in part governed by 
the first rule set; 

in accordance with the first rule set, payment information 
and usage information relating to the user's access 
being stored in a second secure container having asso- 
ciated a second rule set at least in part governing access 
to or other use of at least certain contents of the second 
secure container, 

the second secure container being communicated to the 
administrator; 

the administrator accessing the contents of the second 
secure container, the access being governed, at least in 
part, by the second rule set; 

the administrator communicating at least some of the 
second secure container payment information to the 
first clearinghouse; 

the administrator communicating at least some of the 
second secure container usage information to the first 
clearinghouse; 

the first clearinghouse communicating payment informa- 
tion and usage information relating to the user's first 
content access to the rightsholder; 

a second rightsholder transmitting second content to the 
administrator; 

the administrator storing the content in a third secure 
container and associating a third rule set with the third 
secure container, the third rule set at least in part 
governing access to or other use of the second content; 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



137 



138 



the administrator communicating the third secure con- 
tainer to a user; 

at the user's site, the user indicating a desire to access at 
least a portion of the second content; 

in accordance with the third rule set, the user choosing a 
second clearinghouse; 

the user obtaining access to at least a portion of the second 
content, the access being at least in part governed by 
the third rule set; 

in accordance with the third rule set, payment information 
and usage information relating to the user's access 
being stored in a fourth secure container having asso- 
ciated a fourth rule set, the fourth rule set at least in part 
governing access to or other use of at least certain 
contents of the fourth secure container; 

the fourth secure container being communicated to the 
administrator; . . 

the administrator accessing the contents of the fourth 
secure container, the access being governed, at least in 
part, by the fourth rule set; 

the administrator communicating at least some of the 
fourth secure container payment information to the 
second clearinghouse; 

the administrator communicating at least some of the 
fourth secure container usage information to the second 
clearinghouse; 

the second clearinghouse communicating payment infor- 
mation relating to the user's second content access to 
the rightsholder; and 

the second clearinghouse communicating usage informa- 
tion relating to the user's second content access to the 
rightsholder. 

12. A method of processing digital transactions including: 
a first rightsholder transmitting first content to an admin- 
istrator; 

the administrator storing the first content in a first secure 
container and associating a first rule set with the first 
secure container, the first rule set at least in part 
governing access to or other use of the first content; 

a second rightsholder transmitting second content to the 
administrator; 

prior to communication of the first secure container to a 
user, the administrator storing the second content in the 
first secure container, the first rule set at least in part 
governing access to or other use of the second content; 

the administrator communicating the first secure con- 
tainer to the user; 

at the user's site, the user indicating a desire to access at 
least a portion of the first content; 

in accordance with the first rule set, the user choosing a 
first clearinghouse; 

the user obtaining access to at least a portion of the first 
content, the access being at least in part governed by 5S 
the first rule set; 

in accordance with the first rule set, payment information 
and usage information relating to the user's access 
being stored in a second secure container having asso- 
ciated a second rule set at least in part governing access 
to or other use of at least certain contents of the second 
secure container, 

the second secure container being communicated to the 
administrator; 

the administrator accessing the contents of the second 
secure container, the access being governed, at least in 
part, by the second rule set; 



10 



15 



20 



25 



30 



35 



40 



45 



50 



60 



65 



the administrator communicating at least some of the 
second secure container payment information to the 
first clearinghouse; 

the administrator communicating at least some of the 
second secure container usage information to the first 
clearinghouse; and 

the first clearinghouse communicating payment informa- 
tion and usage information relating to the user's first 
content access to the rightsholder. 

13. A method as in claim 12, further including: 

at the user's site, the user indicating a desire to access at 
least a portion of the second content; 

in accordance with the first rule set, the user choosing a 
second clearinghouse; 

the user obtaining access to at least a portion of the second 
content, the access being at least in part governed by 
the first rule set; 

in accordance with the first rule set, payment information 
and usage information relating to the user's access 
being stored in a third secure container having associ- 
ated a third rule set, the third rule set at least in part 
governing access to or other use of at least certain 
contents of the third secure container; 

the third secure container being communicated to the 
administrator; 

the administrator accessing the contents of the third 
secure container, the access being governed, at least in 
part, by the third rule set; 

the administrator communicating at least some of the third 
secure container payment information to the first clear- 
inghouse; 

the administrator communicating at least some of the third 
secure container usage information to the first clear- 
inghouse; and 

the first clearinghouse communicating payment informa- 
tion and usage information relating to the user's second 
content access to the rightsholder. 

14. A digital transaction method including the following 
steps: 

a first rightsholder packaging first content in a first secure 
container having associated a first rule set, the first rule 
set at least in part governing access to or other use of 
at least a portion of the first secure container contents; 

the first rightsholder communicating the first secure con- 
tainer to a user; 

the user obtaining access to at least a portion of the first 
content, the access being at least in part governed by 
the first rule set; 

the user choosing a first financial clearinghouse from a 
plurality of financial clearinghouse choices, the choice 
being governed at least in part by the first rule set; 

the user choosing a privacy option relating to use of 
identifying information; 

the user communicating payment information to the first 
financial clearinghouse, the communication being gov- 
erned at least in Part by the first rule set; 

the first financial clearinghouse communicating payment 
information to the first rightsholder, the first financial 
clearinghouse's communication of payment informa- 
tion to the first rightsholder being governed at least in 
part by the user's privacy choice; and 

the first rightsholder receiving usage information relating 
to the user's access to the first content. 

15. A digital transaction method including the following 
steps: 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



139 



140 



10 



15 



20 



25 



30 



a first rightsholder packaging first content in a first secure 
container having associated a first rule set, the first rule 
set at least in part governing access to or other use of 
at least a portion of the first secure container contents; 

the first rightsholder communicating the first secure con- 
tainer to a user; 

the user obtaining access to at least a portion of the first 
content, the access being at least in part governed by 
the first rule set; 

the user choosing a first financial clearinghouse from a 
plurality of financial clearinghouse choices, the choice 
being governed at least in Part by the first rule set; 

the user communicating payment information to the first 
financial clearinghouse, the communication being gov- 
erned at least in part by the first rule set; 

the first financial clearinghouse communicating payment 
information to the first rightsholder; 

the first rightsholder receiving usage information relating 
to the user's access to the first content; 

a second rightsholder packaging second content in a 
second secure container having associated a second 
rule set, the second rule set at least in part governing 
access to or other use of at least a portion of the second 
secure container contents; 

the second rightsholder communicating the second secure 
container to a user; 

the user obtaining access to at least a portion of the second 
content, the access being at least in part governed by 
the second rule set; 

the user choosing a second financial clearinghouse from a 
plurality of financial clearinghouse choices, the choice 
being governed at least in part by the second rule set; 

the user communicating payment information to the sec- 3S 
ond financial clearinghouse, the communication being 
governed at least in part by the second rule set; 

the second financial clearinghouse communicating pay- 
ment information to the first rightsholder; and 

the first rightsholder receiving usage information relating 40 
to the user's access to the second content. 

16. A digital transaction method including: 

communicating a first rule set to a user site, the first rule 
set being associated with a first entity; 

communicating a second rule set to the user site, the 45 
second rule set being associated with a second entity; 

communicating a first secure container to the user site, the 
first secure container including first content; 

at the user site, accessing at least a portion of the first 
content; 

creating a second secure container at the user site, 

the creation of the second secure container being gov- 
erned at least in part by the first rule set, 

the second secure container having associated a third rule 55 
set at least in part governing access to or other use of 
the contents of the second secure container, and 

the third rule set including a rule generated by or on behalf 
of the user; 

incorporating the payment-related information into the 
second secure container; 

in accordance with the first rule set, communicating 
payment-related information from the user site to the 
first entity, the step of communicating the payment- 
related information to the first entity at least in part 
consisting of communicating the second secure con- 
tainer to the first entity; 



50 



60 



65 



in accordance with the second rule set, communicating 
usage-related information from the user site to the 
second entity; and 

at the first entity, using at least a portion of the payment- 
related information, the use being at least in part 
governed by the user rule from the third rule set. 

17. A method as in claim 16, in which: 

the user rule from the third rule set at least in part specifies 
a privacy policy relating to permissible uses of identi- 
fication information relating to the user or the user site. 

18. A digital transaction method including: 
communicating a first rule set to a user site, the first rule 

set being associated with a first entity; 
communicating a second rule set to the user site, the 

second rule set being associated with a second entity; 
communicating a first secure container to the user site, the 

first secure container includmg 'first content; 
at the user site, accessing at least a portion of the first 

content; 

in accordance with the first rule set, communicating 
payment-related information from the user site to the 
first entity; 

in accordance with the second rule set, communicating 
usage-related information from the user site to the 
second entity; 

communicating a third rule set to the user site, the third 
rule set being associated with a third entity; 

communicating a second secure container to the user site, 
the second secure container including second content; 

at the user site, accessing at least a portion of the second 
content; 

in accordance with the third rule set, communicating 
payment-related information form the user site to the 
third entity; 

in accordance with the second rule set, communicating 
usage-related information form the user site to the 
second entity; and 

communicating usage-related information from the sec- 
ond entity to a fourth entity, the fourth entity owning at 
least some rights in the first content. 

19. A digital transaction method including: 
communicating a first secure container from a first party 

to a second party, the first secure container including 
first content and having associated a first rule set, the 
first rule set at least in part governing access to or use 
of at least a portion of the first secure container con- 
tents; 

comparing requirements specified by the first rule set to 
requirements specified by a second rule set present at 
the second party site, the compared requirements 
including requirements relating to a clearinghouse, the 
comparison process including: 

comparing a first clearinghouse candidate specified by 
the first rule set to acceptable clearinghouses speci- 
fied by the second rule set, 

determining that the first clearinghouse candidate is not 
acceptable to the second rule set, 

comparing a second clearinghouse candidate specified 
by the first rule set to acceptable clearinghouses 
specified by the second rule set, and 

determining that the second clearinghouse candidate is 
acceptable to the second rule set; 
specifying use of the second clearinghouse candidate; 

comparing a privacy-related requirement contained in 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 



141 



10 



the second rule set to an information-usage requirement 
of the first rule set, and if a match exists, the second 
party gaining access to at least a portion of the first 
content; 

payment information being communicated from the sec- 5 
ond party to the second clearinghouse candidate; and 

the second clearinghouse candidate using the payment 
information to at least in part clear a payment by the 
second party for the access to the first content. 

20. A digital transaction administration system including 

means for creation of secure digital containers, including 
means for packaging content in secure digital contain- 
ers and means for associating rule sets with secure 
digital containers, the rule sets at least in part governing 15 
access to or other use of the contents of the secure 
digital containers; 

means for communicating secure containers from a right- 
sholder to an administrator; 

at the administrator's site, means for undertaking an 20 
automated negotiation between a rule set specified by 
the rightsholder and a rule set specified by the 
administrator, the negotiation involving at least the 
specification of one or more financial clearinghouses 
for clearing of payment-related information and one or 



142 



more usage clearinghouses for clearing of usage- 
related information; 
means for communicating secure digital containers to 
potential users of content packaged within the contain- 
ers; 

means for communicating payment information and 
usage information from users of content, including 
means for rules associated with the content to at least 
in part control the communication; 

means for a financial clearinghouse specified in an auto- 
mated negotiation between the administrator and the 
rightsholder to receive payment-related information 
from users and to communicate payment-related infor- 
mation to the rightsholder; and 

means for a usage clearinghouse specified in an auto- 
mated negotiation between the administrator and the 
rightsholder to receive usage-related information from 
users and to communicate usage-related information to 
the rightsholder. 

21. A system as in claim 20, further including: 

means at the administrator's site for enforcement of 
privacy-related restrictions specified by users. 



01/11/2004, EAST Version: 1.4.1 




US006618806B1 



d2) United States Patent (io> Patent No.: us 6,618,806 Bi 

Brown et al. (45) Date of Patent: Sep. 9, 2003 



(54) SYSTEM AND METHOD FOR 
AUTHENTICATING USERS IN A 
COMPUTER NETWORK 

(75) Inventors: Timothy J. Brown, Tampa, FL (US); 

Rodney Rivers, Westchester, PA (US); 
Dan Nelson, Port Richey, FL (US) 

(73) Assignee: Saflink Corporation, Belle vue, WA 
(US) 

( * ) Notice: Subject to any disclaimer, the term of this 
patent is extended or adjusted under 35 
U.S.C. 154(b) by 0 days. 

(21) Appl. No.: 09/347,779 

(22) Filed: Jul. 6, 1999 

Related U.S. Application Data 

(60) Provisional application No. 60/091,824, filed on Jul. 6, 
1998, and provisional application No. 60/080,319, filed on 
Apr. 1, 1998. 

(51) Int. CI. 7 H04L 9/00 

(52) U.S. CI 713/186; 709/225; 709/229; 

713/200; 713/201; 713/202 

(58) Field of Search 713/186, 200-202; 

709/225, 229 

(56) References Cited 

U.S. PATENT DOCUMENTS 

4,827,518 A 5/1989 Feustel et al. 

5,229,764 A * 7/1993 Matchett et al 340/825.34 

5,272,754 A 12/1993 Boerbert 

5,280,527 A 1/1994 Gullman et al. 

5,430,827 A 7/1995 Rissanen 

5,534,855 A • 7/1996 Shockley et al 340/825.3 

5,613,012 A * 3/1997 Hoffman et al 382/115 

5,682,478 A 10/1997 Watson et al. 

5,719,950 A • 2/1998 Ostcn et al 382/115 

5,848,231 A 12/1998 Teitelbaum et al. 

6,016,476 A 1/2000 Maes et al. 

6,038,315 A 3/2000 Strait ct al. 

6,067,623 A • 5/2000 Blakley, III et al 713/201 

6,317,544 Bl 11/2001 Diehl et al. 



6,400,806 Bl 
6,434,259 Bl 



6/2002 Uppaluru 
8/2002 Hamidetal. 



FOREIGN PATENT DOCUMENTS 



WO 
WO 
WO 



WO01 11 845 A2 
WO02056138 A2 
WO02077819 Al 



2/2001 H04U29/00 

7/2002 

10/2002 G06F/11/30 



OTHER PUBLICATIONS 



Anonymous, Microsoft Windows NT Resource Kit, 
1985-1993, Microsoft Press, 34-49 ED.* 
Gibbs, Mark, VINES 5.5 receives long-awaited recognition 
for network security, 1993, Network World, pp. 22 and 25.* 
Backman, Dan, Guarding the flank with RADIUS & 
TACACS+, Feb. 1998, Network Computing, pp. 1^.* 
Sullivan, Thomas, Open enterprise networks demand the 
security enhancements in Windows 2000, May 2000, Ent, p. 
1* 

Anderson et al, NOSes enhance Internet accessibility, May 
2000, Network Computing, pp. 1-15.* 
Doherty, Sean, Indian Technologies' Private ID 2.0 let 
users' eyes secure their access, Dec. 2001, Network Com- 
puting, pp. 1-3.* 

(List continued on next page.) 

Primary Examiner — Gail Hayes 
Assistant Examiner— Aravind Moorthy 



(57) 



ABSTRACT 



A rule based biometric user authentication method and 
system in a computer network environment is provided. 
Multiple authentication rules can exist in the computer 
network. For example, there may be a default system-wide 
rule, and a rule associated with a particular user trying to log 
in. There may be other rules such as one associated with a 
remote computer from which the user is logging in, one 
associated with a group to which the user belongs, or one 
associated with a system resource to which the user requires 
access such as an application program or a database of 
confidential information. An order of precedence among the 
rules is then established which is used to authenticate the 



10 Claims, 3 Drawing Sheets 




01/11/2004, EAST Version: 1.4.1 



US 6,618,806 Bl 

Page 2 



OTHER PUBLICATIONS 

Fratto, Mike, PremierAccess heads a pedestrian pack, Sep. 

2002, Network Computing, pp. 1-8.* 

Anonymous, NRl Introduces Finger-Image-Enabled User 

Authentication for Windows NT Operating System, NRI 

Product Write-Up, Nov. 1996 (3 pages). 

Komando, Kim, PC Security Now Just a Fingerprint Away, 

Aug. 1998, Denver Post, pp. 1-2. 

Anonymous, Identicator Unveils Suite of Fingerprint Inden- 
tification Products for the PC, Nov. 1998, Business Wire, pp. 
1-3. 

Anonymous, LogonUser, 1997, Microsoft, pp. 1-3. 
Microsoft Computer Dictionary, 2002, Microsoft Press, 
Fifth Edition, p. 427. 



R. Gallery and T.I.P. Trew, An Architecture For Face Clas- 
sification, 1992, pp. 1-5. 

Cole, George, Biometrics and its benefits, Oct. 1996, Finan- 
cial Times Information Limited, pp. 1-4. 
Anonymous, Entrust Technologies Teams with Schlum- 
berger and American Biometric Company to Provide 
Enhanced Security for Today's Mobile Workforce, Dec. 
1998. 

Anonymous, Biometric Identification Inc. and I/O Software 
Inc. Collaborate to Integrate Fingerprint Verification Tech- 
nology, Dec. 1998. 

Newton, Harry, Newton's Telecom Dictionary, 2002, CMP 
Books, 18th Updated and Expanded Edition, p. 57. 

* cited by examiner 



01/11/2004, EAST Version: 1.4.1 



U.S. Pateimlt 



Sep. 9, 2003 



Sheet 1 of 3 



US 6,618,806 Bl 



z 
o 



3 



< 



IK 



2 

o 

p 

o 
z 

z 
o 

p 
< 
o 
h- 

LU 
X 

I- 

§ 













2 


—1 






UJ 

> 


_J 

o 








tr 

Z 






UJ 












CESS 






o 

CXI 
Q- 










UJ uT 






>S 








-■$! 






UJ 

ce 











at 



o 

o o 
BO 

UJ o 
H Z 



<=?>_ 

ii 

CD X 



o 
or 

2 o 
OZj 

CD O 
^ UJ 



LU 
U. 

cr 

z 

i_ z 

zQ 

UJh- 

f£ o 

UJ> 

CO 5 
LU - 

§1 

UJ p 
> UJ 

ac lu 

LU or 
WD 

Co 
go 

_j 

< 
z 
cr 



L _ _ _ Mi^naj^w_ 



UJ 

tc 


UJ 

CC UJ 

So 




tr > 


SIGN 
E 


Q-Uj 

5° 



HAND 
BSP 


CAPTURE 
DEVICE 




FACE 
BSP 


CAPTURE 
DEVICE 




VOICE 
BSP 


CAPTURE 
DEVICE 




FINGER 
BSP 


CAPTURE 
DEVICE 





.5 
!8 



01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Sep. 9, 2003 



Sheet 2 of 3 



US 6,618,806 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Sep. 9, 2003 Sheet 3 of 3 



US 6,618,806 Bl 



INVOKE 
LOG-ON 



-301 



ENTER 
USERID & 
DOMAIN 



-303 



305 




BIOMETRIC 
CHALLENGE 



-307 



^N 


PASSWORD 




CHALLENGE 



-309 



STANDARD 
PASSWORD 
AUTHENTICATION 



-311 



BIOMETRIC 
CAPTURE 



-313 



CREATE BIR 
AND SEND FOR 
VERIFICATION 



-315 




5/0- COMPLETE 
LOG-ON 





ACCESS 
DENIED 












LOG 



-331 



-333 



FIG. 3 



01/11/2004, EAST Version: 1.4.1 



US 6,618,806 Bl 

1 2 

SYSTEM AND METHOD FOR nologies presently available today and to integrate with new 

AUTHENTICATING USERS IN A technologies in the future without requiring changes to the 

COMPUTER NETWORK applications. The HA-API specification provides a set of 

standard program names and functions that enable various 

RELATED APPLICATIONS 5 biometric technologies to be implemented easily into appli- 
cation programs for network user identification and authen- 

This application is related to and claims priority from tication. It is foreseen that HA-API will be used both by 

Provisional Application No. 60/091,824, filed Jul. 6, 1998, application/product developers who wish to integrate bio- 

which is incorporated herein by reference. metric technology into their applications as well as by 

This application is related to patent application Ser. No. 1Q biometric vendors who wish to adapt their technologies for 

09/285,028, filed Apr. 1, 1999, which claims priority from use within open system application environments. 

Provisional Apptication No. 60/080,319, filed Apr. 1, 1998, FIG. 1 is a block diagram illustrating the architecture of 

both of which are incorporated herein by reference. HA-API. HA-API provides two interfaces. The first inter- 
face is an application API 101 consisting of functions 103 to 

FIELD OF THE INVENTION determine which biometric technology (finger image, voice, 

^ , . 15 facial image, etc.) is available to the application 10 and a set 

Tne present mvenuon relates to security systems and of funclkms 10s , Q authenticate a user - s ideDtity via any of 

methods tor controlling access to computers. , he available technologies. The HA-API authentication 

BACKGROUND INFORMATION functions 105 hide the unique characteristic of each biomet- 
ric from the application 10. The second interface is a 

The WINDOWS NT operating system (or "WINDOWS 20 Biometric Service Provider (BSP) Interface 111 which pro- 
NT") from Microsoft Corporation of Redmond, Washington vides a common interface for biometric technology provid- 
provides a set of windowed utilities that allows easy setup- e rs to "plug-in" their unique modules 150. BSP modules 150 
and administration of a security system. The WINDOWS contain the capture, extraction (converting biometric fea- 
NT operating system itself is secure and makes its security tures into a digital representation called a Biometric Iden- 
system available to all applications through a standard 25 tifier Re^d), an d matching capabilities of a biometric 
Win32 security API. vendor. 

An important aspect of the WINDOWS NT security The full text of the Human Authentication API has been 

system is that it is user-centric. Each line of code that published by the Biometric Consortium (available at 

attempts to access a secure object (file, printer, pipe, service, www.biometrics.org). 

etc.) must be associated with a particular user. A user must 30 SUMMARY OF THF TNVFNTION 
identify himself to WINDOWS NT using a user ID and a SUMMARY Oh IHb INVENIION 
password, via a log-on function. Each security check is Tb c present invention provides a rule based biometric 
made against the user's identification. user authentication method and system in a computer net- 
As a result, it is not possible, for example, to write code „ work environment. Multiple authentication rules can exist in 
that prevents an application (e.g., Microsoft EXCEL) that is 3 the computer network. For example, there may be a default 
running under WINDOWS NT from accessing an object. system-wide rule, and a rule associated with a particular user 
For instance, an object can be secured against access from lr y in S 10 lo § m - There ma y be olher mles such as one 
user Joe running EXCEL, but if user Carla is allowed to associated with a remote computer from which the user is 
access the object, she can do so using EXCEL or any other logging one associated with a group to which the user 
application. All Carla has to do is identify herself to WIN- 40 DeIon S s > or one associated with a system resource to which 
DOWS NT using her password tne user rca t u i res access such as an application program or a 
Thus the entire validity of the WINDOWS NT security database ° f confidential information. An order of precedence 
system is based on accurate identification of the user am ° n S. the ™ les then establtshed wh.ch ,s used to 
WINDOWS NT user authentication is based on user IDs and au'nenticate the user. 

passwords. Once a password is compromised, a general In op" 41 ™. a user identification such as a password is 

collapse of the security system can occur. There is therefore "**ived. «* ™ authentication rule associated with the user 

a need for a capability that adds a second factor to password- ex,sts - the s y sleta accordin g to *e present invention authen- 

based authentication mechanisms such as that of WIN- tlcates ,he *** ^ a ca P lured biometric information and a 

DOWS NT. Such a capability should also ensure robustness < n previously stored biometric information according to the 

while improving end-user convenience. authentication rule associated with the user. If not, the 

Not only do passwords present a security risk, they are Sy f em authen «j cates tbe ™* " ith *o captured biometric 

also costly to administer. To provide an acceptable level of informa,10n and previously stored biometric information 

security, it is not uncommon to require changing corporate acc °rd.ng to a system default rule, n that embod.ment, the 

users' passwords every 30 to 60 days. This % not only an 55 ^ haS * hlghef P recedence than ,he default 
annoyance to the user, it is a major resource drain on system 

administrators. Surveys have shown that over 50% of the BRIEF DESCRIPTION OF THE DRAWINGS 

calls received by internal corporate hotlines are password FIG. 1 is a block diagram of the architecture of the Human 

related. Adding to this the lost productivity of professional Authentication API (HA-API 

office workers' trying to .figure ^out what their correct current 60 2 is a block diagram of an exemplary system in 

password is, or requesting to be reinstated on the network, accordance ^ lhe presenl mven tion. 

leads to an estimated annual cost of maintaining passwords rrir % Q n™ .u,,, , , 

of as high as $300 per user. FIG ' 3 " » fl ° W charl f d * piCllDg ^ exem P lar y lo g-° n 

„ «. , JT " „ . „ process with the system of the present invention. 

Saflink Corporation, with funding from the U.S. Depart- 
ment of Defense, has developed a Human Authentication 65 DETAILED DESCRIPTION 
application program interface (API), or HA-API, which FIG. 2 is a block diagram showing the various compo- 
allows applications to work with multiple biometric tech- nents in an exemplary system in accordance with the present 



01/11/2004, EAST Version: 1.4.1 



US 6,618,806 Bl 

3 4 

invention. The exemplary embodiment described operates in Second, the SAF Server 220 maintains a database 221 of 

conjunction with the WINDOWS NT operating system. Biometric Identifier Records (BIRs) for a plurality of reg- 

Although a WINDOWS NT-based embodiment is described, istered users. Each BIR contains biometric information for 

the system of the present invention is applicable to a wide a user, preferably in accordance with the HA- API specifi- 

variety of operating systems. 5 cation. Each registered BIR is associated in the database 221 

An exemplary embodiment of a system in accordance with the corresponding user's userlD and password. The 
with the present invention includes a plurality of software SAF Server 220 verifies the BIR of a user attempting to 
modules: a Graphical Identification and Authentication log-on. Biometric matching is performed at the SAF Server 
(GINA) DLL 255; SAF Server 220; SAF/NT VF Sub- 220 - ™s provides the strongest identification and authen- 
authentication filter 213; extensions to WINDOWS NT User ™ tication possible since the server is typically physically 
Manager 240 and Server Manager 260; and SAF Transaction secured. Since it is not practical in most networks to 
Client 275. In addition, a modified WINDOWS 95/98 Net- physically secure client workstations, other biometric log-in 
work Provider may be included for WINDOWS 95/98 solutions that perform the biometric match at the remote 
installations. These modules can be installed as an add-on or clienl workstations are more vulnerable to a determined 
over-pack to the basic WINDOWS NT operating system. ™ hacker attempting to circumvent the authentication process. 
Once Microsoft's standard products, such as WINDOWS The SAF Server 220 supports multiple biometric types 
NT Client 250, WINDOWS NT Server, and SQL Server (e.g. fingerprint, voice print, facial shape, etc.) and multiple 
have been installed on a computer system, the aforemen- vendor technologies for each biometric type. A system 
tioned modules of the system of the present invention can be administrator can set the primary biometric type and tech- 
installed. 20 nology for each user. At authentication time, the primary 

The GINA DLL 255 is the portion of the WINDOWS NT biometric type and technology are compared with the client 

client 250 that challenges a user for their userlD, domain, workstation's capabilities. If the workstation does not have 

and password. As part of SAF/NT, the GINA DLL 255 is the necessary resources to capture the primary biometric, the 

modified to include biometric identification in accordance user can be optionally challenged for a password, 

with the present invention. The modified GINA DLL 255 25 The SAF Server 220 also maintains the state of all 

preferably can be invoked with the same key sequence (e.g., workstations in the domain, logs failed verification requests 

CTRL+ALT+DEL) used to invoke the standard GINA DLL. in the NT security log and logs system administrator access 

The modified GINA DLL 255 communicates with the m the NT security log. 

SAF Server 220 (described below) to determine the state of 3Q In the exemplary embodiment, communications between 

the workstation, to query the registration status of a user, and client workstations and the SAF Server 220 is via Remote 

to verify the user's BIR. The GINA DLL 255 also commu- Procedure Calls (RPC) and is encrypted. A different encryp- 

nicates with the NT security subsystem 211 to log a user tion key is used for each session between a client and the 

onto a workstation or domain controller 210. server. If a strong encryption version of the WINDOWS NT 

The modified GINA DLL 255 may also preferably pro- 35 operating system is used, 128-bit keys are generated, 

vide a secure screen saver capability that locks a worksta- Multiple SAF Servers can be configured using the repli- 

tion's keyboard and hides information displayed on the cation services of SQL Server and Microsoft's Cluster 

video monitor during a user's absence from the workstation. Server (Wolfpack). The SAF Server(s) can be located on a 

Upon return, only the user's biometric is required to unlock domain controller, back-up domain controller, or on separate 

a biometrically enabled workstation. If a password-only user 40 physical servers. This provides for scalability and resiliency 

is logged on to a biometrically enabled workstation, then the of the SAF Server in large networks, 

user's password will unlock the workstation. The screen The SAF Server facilitates centralized management of 

saver can be invoked manually through a key sequence or user identification and authentication and also makes it easy 

via a configurable time-out value. to integrate additional biometric identification application 

The SAF/NT Windows 95/98 Network Provider delivers 45 modules in the future. All user information can be stored in 

the same functionality as the GINA DLL for domain log-ons a database, such as a Microsoft SQL Server database, using 

from a WINDOWS 95/98 workstation. Since WINDOWS encryption, such as RSA's RC4 encryption. 

95/98 does not support the same level of security for the Extensions to WINDOWS NT's standard User Manager 

client workstation as does WIDOWS NT, biometric authen- and Server Manager provide enrollment and maintenance 

tication is supported for domain log-ons only. 50 functions used by a systems administrator to register 

The SAF Server 220 performs several functions. First, the userlDs, passwords, BIRs, and workstation information into 
SAF Server 220 responds to requests from the GINA DLL tDe SAF Server's database. The extensions also allow a 
255 to query the registration status of a user with a command systems administrator to delete a user, query a user's status, 
to capture the appropriate biometric or password. A user can delete a workstation entry, and change the state of a work- 
have multiple biometrics registered (fingerprint, voice print, 55 station. The extended User Manager 240 and Server Man- 
facial shape, etc.), with one biometric designated as primary. ager 260 can communicate with the SAF Server 220 using 
The primary biometric for a user is the biometric the user NT RPC. All data is encrypted. 

would normally be challenged for if the workstation sup- FIG. 3 shows a flow chart of an exemplary log-on process 

ports the capture device. If the workstation does not support in accordance with the present invention, 

the user's primary biometric (e.g., fingerprint) but does 60 At step 301, a user invokes the log-on process, such as by 

support a secondary biometric for which the user is regis- pressing the standard WINDOWS NT key sequence C\rV 

tered (e.g., voice), the SAF Server 220 will command the Alt/Del. At step 303, the user enters his userlD and domain. 

GINA DLL 255 to capture the secondary biometric. As such, If it is determined at step 305 that the user's BIR is 

the SAF Server 220 controls the biometric capture procedure registered, the user is challenged at step 307 for his biomet- 

in accordance with the user's biometric status as well the 65 ric features (e.g., finger image, voice, facial image, etc.) If 

biometric capabilities of the workstation by which the user it is determined at step 305 that there is no registered BIR for 

seeks access. the user, the user is challenged at step 309 for his password. 



01/11/2004, EAST Version: 1.4.1 



US 6,618,806 Bl 



Log-on will then occur, at 311, using standard WINDOWS 
NT password authentication. 

At step 307, the user is challenged to provide a biometric 
input for capture by the system. This procedure can be 
carried out with the assistance of a biometric capture wizard 5 
displayed on the computer. Once challenged for a biometric, 
the user follows the instructions of the biometric capture 
wizard. Each type of biometric requires the user to follow a 
different set of instructions such as placing a finger on a 
scanner for finger image, speaking a phrase into a micro- 10 
phone for voice recognition, or facing a camera for facial 
authentication. The biometric is captured at step 313, 

At step 315, the modified GINA DLL creates a BIR from 
the captured biometric and sends the BIR with the userlD to 
the SAF Server for verification. The SAF/NT Verification 15 
Server 222 retrieves the user's record and compares the BIR 
submitted by the user to the BIR stored in the database 221. 
The comparison of BIRs is carried out using a HA-API 
compliant Biometric Service Provider (BSP) module 225 for 
the given biometric. Such modules are available, for 20 
example, from Visionics (for face image), ITT (voice) and 
Cogent (fingerprint). At step 317, the SAF/NT Verification 
Server makes a yes/no decision and returns this decision to 
the user's workstation. 

25 

If the verification server 222 verifies that the user is 
authorized to log on, the server will retrieve the user's 
password from the database 221 and send the user's pass- 
word back to the workstation where the log-on will be 
completed, at step 319, via the GINA DLL 255. The comple- 3Q 
tion of the log-on procedure is transparent to the user. If the 
verification server decides that the user is not authorized, at 
step 321 the user will be denied access and an "access 
denied" message will be displayed on the screen. 
Additionally, at step 323, the failed verification will be 
logged, such as in the WINDOWS NT security log. 

A SAF/NT Validity Flag Sub-authentication filter 213 is 
optionally installed on the domain controller 210. The filter 
213 communicates with the SAF Server 220 to check the 
status of a user's validity flag whenever an authorization 40 
request for that user is received by the domain controller 
210. Validity flags are used to determine whether users 
attempting to log-on were recently authenticated by the SAF 
Server 220 within some preselected time interval (e.g., .1-2 
seconds) prior to being authenticated by the standard pass- 45 
word security system 211. If a user attempting to log-on was 
not recently authenticated by the SAF Server 220, that 
indicates that the user wrongfully by-passed the SAF/NT 
biometric authentication system. The combination of the 
workstation state and the validity flag prevents a person 50 
from disabling the biometric capture hardware on a work- 
station in an attempt to bypass the biometric authentication 
process and use a password only. The validity flag contains 
a time stamp. 5 

A SAF Transaction Client 275 allows a custom applica- 55 
tion 270 to verify a user's identity via the SAF Server 220, 
subsequent to a successful logon. The identification can be 
of the currently logged-on user or another user who is 
enrolled in the SAF database. A supervisory override on a 
transaction is an example of a situation in which another user $o 
would be identified. 

At a time when "hacker contests" result in mainframe 
security breaches at the Pentagon and other government 
agencies, the need for a comprehensive data security plan 
has never been greater. Managing information security is 65 
now a major enterprise challenge, as applications evolve to 
run over a mix of public and private networks. To be 



35 



effective, information security must adapt to business needs, 
enable business processes, and become an integral compo- 
nent of business systems. 

As the world shifts from an industrial economy to one 
based on information, key new technologies led by the 
Internet are enabling a business revolution where people and 
businesses are interacting in new and exciting ways. The 
ability to make information accessible from anywhere in the 
world that has an Internet connection and a browser has been 
a catalyst for a whole new breed of business applications. 
Internet based enterprise network applications that provide a 
consistent view of a company and its services, enable better 
communication both inside the company and between the 
company and its partners, suppliers, and customers. They 
provide a strategic competitive advantage on both the top 
and bottom lines. 

Security is a principle enabler of the information-based 
economy, allowing for the creation of the virtual corporation 
and the migration of business applications to Internet based 
enterprise network applications. Today, the distinction 
between the "good secure" internal network and the "bad 
insecure" external network is no longer valid. Companies 
must not only protect the perimeter and interior of their 
network, but also the data and applications used to run the 
business in a global information anytime, anywhere envi- 
ronment. 

Internet-based enterprise network applications require 
security solutions for implementing business policies. Each 
organization has to establish and enforce policies covering 
when and how users are identified before accessing propri- 
etary information. At Saflink Corporation, an assignee of the 
present application, it has developed a software called 
SAFsite that delivers a next-generation identification and 
authentication (I&A) solution which lets organizations 
enforce their business policies securely. In developing the 
SAFsite product, Saflink began by designing a base archi- 
tecture for an enterprise network solution. The resulting 
multi-biometric I&A framework is network-centric, and 
features a central SAF Server that may be shared by all Web 
applications. This facilitates centralized management of user 
identification and authentication and also makes it easy to 
integrate additional application modules as time goes on. 
SAFsite is HA-API compliant (a recognized industry 
standard) supporting multiple biometrics, affording users 
maximum flexibility and choice. 

SAFsite provides biometric-based identification and 
authentication of Web site administrators and end-users with 
access privileges to protected Web information. It is built on 
the proven SAF architecture, supporting multiple 
biometrics, and is integrated with the other members of the 
SAF family. 

SAFsite delivers the most positive form of user identifi- 
cation and authentication. A comprehensive data security 
plan includes a number of elements — encryption, access 
control hierarchies, security policies, physical security of 
data servers, etc. But the cornerstone of any sound enterprise 
security plan is user I&A. Without uncompromising I&A, 
other elements of the security solution are jeopardized. And, 
nowhere in an enterprise network is user identity more in 
question than on the Internet. 

SAFsite is a software development kit which allows 
multi-biometric based I&A to be integrated into enterprise 
network applications designed for the Internet built with 
leading rapid application development tools such as Ever- 
ware Development Corporation's Tango, Allaire's Cold 
Fusion, NetObject's Fusion, Microsoft's Visual InterDev, 



01/11/2004, EAST Version: 1.4.1 



US 6,618,806 Bl 

7 8 

HAHTSite, and NetDynamic's Enterprise Network Appli- Layer and all data is encrypted. The Web application also 

cation Platform. interfaces to the authentication client library. The authenti- 

Each user whether a Web site administrator, employee, or cation client library provides an interface for communicating 

customer attempting to access protected, proprietary infor- to the SAF Server. All data buffering and session manage- 

mation is biometrically authenticated by SAFsite prior to 5 ment between the browser extensions and the authentication 

gaining access permission. When a user attempts to access client library is the responsibility of the Web application, 

a protected Web page, SAFsite challenges the user for their The third component is the SAF Server that accepts 

userlD. For a user who belongs to a group, the userlD may requests from multiple clients. The SAF Server communi- 

include a primary key that identifies the group and a sec- cates directly with an encrypted database that maintains user 

ondary key that identifies the user within that group. The 1Q information. This information includes user name, biometric 

keys may be typed in by the user, or automatically generated records for each user, authentication rule, and additional 

by, for example, the swipe of an employee ID card through application specific data such as encrypted password or key 

a card reader. Based on a set of enterprise security policies f or another data table. Primary and secondary keys are 

SAFsite then challenges the user for the appropriate bio- maintained for those users who belong to a group. This 

metric credentials, such as finger-image, voice print, or would allow for the authentication server to be extended to 

facial image. The user's biometric is captured, individual support 1 to few searching, based on the secondary key. That 

characteristics are extracted from the biometric, and a digital the biometric record of the user is compared against those 

representation of the characteristics are sent to the SAF of lhe group mem b e rs. The components of the server can 

Server 220 for authentication. SAFsite supports both exist on a singIe machine> or can reside on multiple 

Microsoft's Internet Explorer and Netscape Communicator mac hines, taking advantage of distributed object architec- 

browsers. tures such as DC0 M or CORBA, which would handle load 

The SAF Server 220 maintains a database 221 of all users balancing and referral services for the server. Communica- 

and their biometric credentials. Biometric matching is per- t ion between the client and server is via Secure RPC, using 

formed at the trusted SAF Server 220. This provides the lhe strongest encryption available on the data being sent, 

strongest identification and authentication possible since the According to a preferred embodiment of the present 

server is typically physically secured. Since it is not practical mvenu on, SAF Server authentication employs a rule-based, 

in most networks to physically secure client workstations, multiple biometric solution. Rule-based authentication 

other biometric log-in solutions that perform the biometric aliows for a powerful, yet extremely flexible mechanism for 

match at the remote client workstation are more vulnerable identifying users. It also allows for the combinations of 

to a determined hacker attempting to circumvent the authen- 3Q mulliple b i ome trics to be mixed to offer strong authenlica- 

tication process. ^ on R u j es can De as simple as logging on with a single 

All user information is stored in the Microsoft SQL Server biometric, or can be as complex as specifying multiple 

database using RSA's RC4 encryption. In its current authentication paths, depending on time-of-day, security 

implementation, SAFsite requires the customer to purchase i eve l, applicable biometric success, and reasonable false 

one of the versions of Microsoft SQL Server (workstation or 35 accept/reject levels. A hierarchy of rules precedence is also 

server) or the Microsoft Back Office suite. The communi- maintained. 

cations between the browser's biometric ActiveX control or Rule 5ased b i om etric authentication is the notion of 

plug-in and the SAF Server is via Secure Sockets Layer. authenticating a user based on a variety of rules which 

Communication between a Web application and the SAF specify different actions to take depending on the parameters 

Server is via Remote Procedure Calls (RPC) and is 4Q specified by the rule. Parameters may include time of day, 

encrypted. If a strong encryption version of the Windows NT maaiiy level> success /f a ilure of a specific biometric, or false 

operating system is used, 128 bit keys are generated. accept/reject levels. Additional parameters can be specified 

Scalability and resiliency of the SAF Server in large by an application to suit particular authentication needs, 

networks is provided for through the ability to configure Examples of a rule may be "use a fingerprint or facial 

multiple SAF Servers using SQL Server replication services 45 biometric information for authentication during business 

and Microsoft's Cluster Server (Wolfpack). The SAF Server hours", "use a combination of fingerprint and facial biomet- 

(s) can be located physically on a Web server or on separate n C information during non-business hours and authenticate 

physical servers. tne on j v wnen the confidence level of the match is 

As an overview of the SAFsite architecture, it provides a above 90%", or "authenticate a user using any biometric 

foundation for user-based, multiple biometric identity 50 information with a confidence level of at least 95%". 

authentication for Web based enterprise network applica- Multiple rules can exist inside the entire client/server 

tions. It can be used as is, or extended to provide a powerful, world. Therefore an order of precedence is defined. By 

yet flexible password replacement or augmentation mecha- default, a system wide rule is defined. This rule has the 

nism - lowest of precedence and may be as simple as a single 

SAFsite includes three main components: browser bio- 55 biometric authentication such as "use a fingerprint biometric 

metric extensions, the authentication client library, and the information for authentication". If secondary keys are used 

SAF Server. The first component, browser biometric in the authentication database, a primary key can have a rule 

extensions, includes a Microsoft Internet Explorer active-X associated with it. For example, for access to a joint account 

control and a Navigator Communicator "plug-in" that cap- in an Internet banking application software, a user may have 

ture an individual's user-ID and biometric information, such 60 a primary key associated with the account such as the main 

as finger print facial shape, or voice print. The browser account number and a secondary key associated with the 

biometric extensions provide biometric capture for both user himself such as his own sub-account number or a Social 

enrollment and authentication. They interface with a Security number. This allows for group based rules. This 

HA- API Biometric Service Provider module (see HA-API group-based rule has precedence over the system default 

specification for details). 6 5 rule. A particular user (identified by a unique primary and 

The first component, browser biometric extensions, com- secondary key combination) can have an associated authen- 

municatcs with the Web application via Secure Sockets tication rule. This authentication rule has precedence over 



01/11/2004, EAST Version: 1.4.1 



United States Patent im 

Lam 



US005564037A 
[li j Patent Number: 
[45] Date of Patent: 



5,564,037 
Oct 8, 1996 



[54] REAL TIME DATA MIGRATION SYSTEM 
AND METHOD EMPLOYING SPARSE FILES 

[75] Inventor Wai T. Lam, Westbury, N.Y. 

[73] Assignee: Cheyenne Software International 
Sales Corp., Roslyn Heights, N.Y. 



[21] Appl. Na: 413,056 

[22] Filed: Mar. 29, 1995 

[51] Int CL 6 

[52] U.S. CL 

[58] Field of Search ..... 



. G06F 12/02; G06F 17/30 

395/488; 395/600 

395/488, 600 



[56] References Cited 

U.S. PATENT DOCUMENTS 

5.276.867 1/1994 Kcnlcy ct at. 395/600 

5,317,728 5/1994 Tevia et aL 395/600 

5333315 7/1994 SaetheretaL 395/600 

5,367,698 11/1994 Webber etaL 395/800 

5,479,656 12/1995 Rawlings, HI 395/497.02 



5,495,607 2/1996 Pisello et al „ 395/600 

5.506,986 4/1996 Healy .... 395/600 

OTHER PUBLICATIONS 

Novell® NetWare® 4.0 Architecture Revision 6.0, Software 
Developer's Kit, May 1993. 

Primary Examiner— Paul V. Kulik 

Attorney, Agent, or Firm— Kenyon & Kenyon 

[57] ABSTRACT 

A system and method for real time data migration in a 
networked computer system uses a known operating system 
feature, a sparse file, to represent a migrated file. The sparse 
file consumes a minimum amount of physical space on the 
file server but is defined as having the same size and 
attributes as the original final When a user accesses a 
migrated file, the file appears to be resident on the file server 
and is automatically and transparently returned to the file 
server from an optimized storage location in a hierarchical 
storage management system. 

13 Claims, 4 Drawing Sheets 




COMMAND 
MIGRATE 



JD TO^v 



| OPEN THE FILE 



READ THE FILE 



TRANSMIT FILE DATA 
TO SECONDARY STORAGE 



D 



TRUNCATE THE 
ORIGINAL FILE 



SO 



S1 



S2 



S3 



S4 



STORE MIGRATION KEY 


S5 


IN SPARSE FILE 


i 


r 




DEFINE FILE SIZE 




TO ORIGINAL SIZE AS 


S6 


A SPARSE FILE 






EXIT 



S7 



01/10/2004, EAST Version: 1.4.1 



UoSo Pataatt 



Oct 8, 1996 



Sheet 1 of 4 



>64J37 



r 



CM 





>- 




01 ill 




< o 




Q< 




2 (XL 




oo 


/ 


O f— 


o 


LU CO 


CM 


CO 





g 

ill 



J 




01/10/2004, EAST Version: 1.4.1 



UcSo Patent 



Oct 8, 1996 Sheet 2 of 4 



5,564,(0)37 



MIGRATE A FILE,) 



OPEN THE FILE 



I 



READ THE FILE 



I 



TRANSMIT FILE DATA 
TO SECONDARY STORAGE 



I 



TRUNCATE THE 
ORIGINAL FILE 



I 



STORE MIGRATION KEY 
IN SPARSE FILE 



I 



DEFINE FILE SIZE 
TO ORIGINAL SIZE AS 
A SPARSE FILE 



so 



S1 



S2 



S3 



S4 



S5 



S6 



S7 



FIG. 2 



01/10/2004, EAST Version: 1.4.1 



Uo§ 0 Patemtt octs,i996 sheet 3 ©r 4 5 9 §64$37 




READ MIGRATION 
KEY INFORMATION 



I 



REQUEST TO 

STAGE 
CONTROLLER 



I 



LOCATION OF 
FILE DETERMINED 



I 



FILE SENT TO 
FILE SERVER 



S10A 



S10B 



S10C 



S10D 



1 



READ DATA FROM 
SECON DAR Y/TERTIARY 
STORAGE 



I 



OPEN THE 
SPARSE FILE 



I 



FILL THE SPARSE FILE 
WITH ORIGINAL DATA 



I 



STORAGE MIGRATION 
KEY INTO EXTENDED 
ATTRIBUTE (EA) 




EXIT 



S11 



S12 



S13 



S14 



S15 



FIG. 3 



01/10/2004, EAST Version: 1.4.1 



UoSo Patent Oct 8, 1996 Sheet 4 of 4 



5 9 564 9 (D)37 




m 




01/10/2004, EAST Version: 1.4.1 



5,564,037 



REAL TIME DATA MIGRATION SYSTEM 
AND METHOD EMPLOYING SPARSE FILES 

FIELD OF THE INVENTION 

The present invention relates to a hierarchical storage 
management system and method in a networked computer 
system. More particularly, the present invention relates to a 
method for automatically and transparently migrating data 
from a file server to an auxiliary storage device. 

BACKGROUND INFORMATION 

Server-based data management systems have become 
standard office equipment and the need for data management 
is growing rapidly. Today, many employees in large corpo- 
rations have a personal computer (PQ or a workstation that 
is connected to other computers via a Local Area Network 
(LAN). 

A LAN generally includes a plurality of computer sys- 
tems, such as computer workstations, that are connected 
together to share data and resources, such as a main memory 
and/or a printer. The LAN often includes file servers pro- 
viding the network services. A file server is generally a node, 
e.g. a computer, on a computer network that provides service 
to the computer terminals on the network through managing 
a shared resource. For example, a file server can manage a 
set of storage disks and provide storage and archival services 
to. computer terrmnals on the network that do not have their 
own disks, or that have data that needs to be stored exter- 
nally. 

Storage requirements of LANs are growing at a stagger- 
ing rate. Many of today's servers handle gigabytes of data. 
In addition, the ability to store and protect data has become 
a critical issue for marry network users. The most common 
way of protecting data is to keep it in more than one location. 
Server-based data management systems, such as the ARC- 
serve® data management system, provide back-up and pro- 
tection of data stored on a LAN file server and/or computer 
systems connected to the LAN. 

Merely providing back-up and storage of data from a 
computer network, however, is not sufficient In particular, 
the external storage of data needs to be automatic, optimal, 
and transparent to the network user. One technique for 
providing efficient external storage of data from a computer 
network is hierarchical storage management (HSM). 

HSM includes storing computer network data external to 
the file server in a hierarchy of secondary, and possibly 
tertiary, storage devices. The external storage devices are 
generally high capacity storage devices such as Write Once 
Optical, Rewriteable Optical and Magnetic Tape. For 
instance, an optical storage device and a magnetic tape drive 
can be coupled to the file server as secondary and tertiary 
storage devices, respectively. Based on criteria established 
by the HSM application, data stored in the file server can be 
migrated to the optical storage device and, based on select- 
able criteria, further migrated to the tape drive. 

For example, the frequency of use of the data can be used 
as a criterion for migrating the data from the file server to the 
secondary and tertiary storage devices. By migrating data 
which is infrequently used or accessed, space can be freed 
on the file server while users continue to scan files as if they 
still resided on the file server. Migration refers to the 
movement of data from a file server into a storage hierarchy 
(e.g. the external storage devices). Demigration refers to the 
retrieval of data from the storage hierarchy to the file server. 



10 : 



15 



20 



25 



30 



35 



40 



45 



50 



55 



60 



65 



To obtain optimal benefit of a HSM application, the 
secondary and tertiary storage devices are arranged in a 
hierarchical arrangement for storing the data.. Thus, a data 
file that has resided on the, network file server for a 
predetermined period of time can be migrated initially to an 
optical storage device, which provides for a relatively fast 
response time when the file is requested by the network file 
server. If the data file remains on the optical storage device 
for a predetermined period of time without being requested 
by the file server, then the data file can be further migrated, 
in accordance with a storage hierarchy, to a magnetic tape 
storage device, which has a relatively slow response time 
compared to the optical storage device. Thus, a hierarchical 
storage management system provides for a more efficient 
method of storing the data files of a networked computer 
system based on the cost, speed and capacity of the hierar- 
chy of storage devices. 

When a file is migrated from a file server, the original file 
is represented on the file server as a stub file, also referred 
to as a phantom file or a tombstone. The stub file represents 
the original file while using a minimal physical space 
allocation, thereby freeing as much space as possible on the 
file server. The stub file should also represent, however, the 
properties of the original file as closely as possible, e.g., the 
file size, the date created, the date last accessed or certain 
attributes, such as a read only file. Depending on the 
particular HSM implementation which performs the migra- 
tion, however, the file size is not accurately represented. 
Rather, the stub file remaining at the file server has a size of 
0, 422 or 1000 bytes, regardless of the actual size of the 
original file. For example, a 100 megabyte file can be 
migrated from the network file server to an external storage 
device and the stub file left on the file server generally will 
appear with a size of, 0, 422 or 1000 bytes. 

Thus, known migration implementations may reduce the 
physical space allocation of the file server through the use of 
stub files to represent the migrated file, but the known 
migration methods do not accurately represent the actual 
properties of the original file. The accuracy of the represen- 
tation, particularly the size of the original file, is important 
information for any software application where file size is 
utilized. For example, some LAN software applications 
attempt to provide statistical analysis of the amount of data 
owned by the file server, or perform some custom function 
based on particular file sizes reaching a predetermined value. 
If migrated files are not accurately represented, then the 
analysis or custom functions may not be properly per- 
formed. In addition, a DOS® operating system DIR com- 
mand, for example, would provide the wrong file size to the 
user and lead to user confusion over the actual size of the 
file. Similarly, a DOS® operating system COPY command 
might show a 1000 byte size for a migrated file that is 
actually 2 megabytes, thus causing the user to attempt to 
copy the file onto a floppy disk that is too small. 

A HSM implementation is generally tailored for particular 
LAN operating systems. For example, the NOVELL® Net- 
Ware® operating system is used in many LAN systems. 
Several versions of the NetWare® operating system exist, 
including versions 3 jc and 4.x. 

For example, in the NetWare® or^rating system versions 
4.x, a Real Time Data Migrator (RTDM) feature is included 
Using this feature, the contents of a file in a NetWare® file 
server (e.g. a file server running the NetWare® operating 
system) can be migrated to a secondary storage device with 
a file directory entry representing the migrated file being left 
in the file server. The file directory entry is empty and thus 
will not occupy physical space in the NetWare® file server. 



01/10/2004, EAST Version: 1.4.1 



5,564,037 



3 

In addition, the file directory entry will indicate the correct 
properties of the migrated file, including the actual size of 
the migrated file. When the migrated file is requested by the 
file server, the file will be automatically retrieved into the file 
server. s 

Thus, the NetWare® operating system version 4.x RTDM 
provides a tool for automatically and transparently migrating 
files from a NetWare® volume to secondary storage while 
keeping accurate directory entries in the original NetWare® 
volume for migrated files. On the other hand, the NetWare® 10 
operating system versions 3.x, for example, do not provide 
a migration functionality. Accordingly, software vendors 
must create a data migration function for NetWare® oper- 
ating system version 3.x file servers. Known migration 
applications, however, do not provide a directory entry on l * 
the file server which is an accurate representation of the 
migrated file; depending on the application, the remaining 
directory entry will be a stub file having a size of 0, 422 or 
1000 bytes rather than the actual size of the migrated file. 

An object of the present invention is to provide for 20 
migration of data from, for example, a NetWare® version 
3.x file server that eliminates the use of a stub file that does 
not accurately represent the size of the migrated file. Another 
object of the present invention is to provide file migration 
and demigration that is absolutely transparent to the user. 25 



SUMMARY OF THE INVENTION 

The system and method according to the present invention 30 
uses a known operating system feature, a sparse file, to 
represent a migrated file. A sparse file is a file which has a 
physical size (e.g. a physical allocation) that is less than its 
logical, or apparent, size. The sparse file thus minimizes the 
physical space occupied by a file while retaining the actual 35 
properties of the file, such as the size and the date created. 
A sparse file also can delete all data blocks of the original file 
and be defined as having a file size equal to the original file, 
thus accurately representing the original file while occupy- 
ing essentially no physical space. 40 

According to the system and method of the present 
invention, when a file is migrated from a file server to a 
storage medium, the file to be migrated is replaced in the file 
server with a sparse file defined as having the same logical 
size and attributes as the original file. The sparse file, 45 
however only consumes the minimum amount of space 
required to store a file, eg. one data block. Migration key 
information is stored in the sparse file so that the file server 
can retrieve the migrated file when accessed by a user. When 
a user accesses a migrated file, the file appears to be resident 50 
on the file server with the actual properties of the file, and 
is automatically and transparently brought back to the file 
server from the secondary or tertiary storage medium. Thus, ' 
the hierarchical storage management method according to 
the present invention eliminates the use of a stub file having 55 
a predetermined and inaccurate size to represent a migrated 
file. 



BRIEF DESCRIPTION OF THE DRAWINGS «> 

FIG. 1 shows a local area network system employing a 
hierarchical storage management system according to the 
present invention. 

FIG. 2 is an illustrative flowchart of the method for real 65 
time data migration employing sparse files according to the 
present invention. 



4 

FIG. 3 is an illustrative flowchart of the method according 
to the present invention for real time data demigration 
employing sparse files according to the present invention. 

FIG. 4A shows a data file having a logical size. 

FIG. 4B shows a conventional sparse file representation 
of the file shown in FIG. 4A. 

FIG. 4C shows a sparse file representation of the file 
shown in FIG. 4A according to the present invention. 

DETAILED DESCRIPTION OF THE 
INVENTION 

FIG. 1 illustrates a LAN system 1 including a HSM 
system 2 according to the present invention. The HSM 
system 2 provides HSM capabilities, for example, to the 
NetWare® operating system version 3.x environment and 
includes a file server 10, also referred to as a primary storage 
device, coupled to a secondary storage device 20:* The 
secondary storage device 20 is further coupled to a tertiary 
storage device 30. By optimal use of the file server 10, 
secondary storage device 20 and tertiary storage device 30, 
the HSM system 2 can automatically and transparently 
hierarchically store, for example, gigabytes of data. 

The LAN system 1 has, for example, a client-server 
architecture. The client is, for example, a plurality of work- 
stations 40 coupled to the file server 10. A workstation 40 
includes, for example, a microprocessor based computer 
system. At least one of the workstations 40 provides an 
interface for a user to establish migration criteria for data 
migration from the file server 10. The server side includes 
the file server 10 having a migration engine 11 that provides 
transparent data migration service from the file server 10 and 
demigration service to the file server 10. 

The migration engine 11, for example, periodically runs 
and identifies inactive files according to predefined criteria. 
Once files are identified for migration, the files are migrated 
into a storage hierarchy of the HSM system 2, thereby 
resulting in additional storage space for active files on the 
file server 10. Hie HSM system 2 then manages the migrated 
files for migration within the storage hierarchy until the 
lowest level of the storage hierarchy is reached. 

As shown in FIG. 1, the server side includes, for example, 
three distinct modules. The first module is the file server 10 
from which it is desired to move preselected files, such as 
infrequently accessed files, to less expensive storage 
devices. The second module is the secondary storage device 
20, such as an Optical Stage which supports an optical 
storage device. The Optical Stage can be on the same or a 
different NetWare® operating system server as the file 
server 10. The third module is the tertiary storage device 30, 
such as a Tape Stage which supports a tape changer. The 
Tape Stage can be on the same or a different NetWare® 
operating system server as the file server 10 or Optical Stage 
20. The second and third modules together form the storage 
hierarchy. Generally, each stage in the storage hierarchy is a 
uniform collection of storage media, e.g. all media in the 
stage have the same physical property. Communication 
between the stages is done through a native NetWare® 
operating system communication protocol, such as IPX, 
SPX, TLI or TCP/IP In addition to the secondary storage 
device 20 and tertiary storage 30 shown in FIG. 1, additional 
storage stages can be added to the HSM system as desired. 

The optical storage device 20, such as a Rewriteable 
Optical device, generally has an access time in the 5-10 
second range, as the storage media is removable and will 
usually need to be brought into the drive and spun up before 



01/10/2004, EAST 



Version: 1.4.1 



5,564, 

5 

it can be accessed. A jukebox device can be used for 
automatic operation of the optical storage; otherwise an 
operator would have to manually service media load 
requests. The tape storage device 30, such as a Hewlett- 
Packard 8 mm Tape Drive, can have an access time of 5 
several minutes, as the storage media is removable and will 
usually need to be brought into the drive before it can be 
accessed. An autochanger can be used for automatic opera- 
don of the tape storage; otherwise an operator would have to 
manually service media load requests. to 

Each stage in the exemplary storage hierarchy shown in 
FIG. 1 is controlled via a stage migrator 21, 31, respectively. 
The stage migrators 21, 31 include, for example, a software 
program resident on the file server 10 or on a separate file 
server. The stage migrators 21, 31, are located on the file 15 
server that is coupled to their respective secondary storage 
device 20 and tertiary storage device 30. As shown in FIG. 
1, stage migrator 21 is located in file server 15" and stage 
migrator 31 is located in the server 16. Each stage migrator 
21, 31, for example, manages migrated files, retrieves files 20 
upon request, and migrates files to the next stage in the 
storage hierarchy according to the rules of the storage 
hierarchy. Because each stage of the storage hierarchy has a 
stage migrator, the storage hierarchy can be distributed, 
thereby reducing the processing load on the file server 10 23 
via, for example, file servers 15 and 16. 

A user of the LAN system 1 can establish, for example, a 
system migration job for the entire file server 10 that will be 
run periodically to maintain the disk storage on the file 
server 10 within acceptable limits. The user also has the 30 
capability to do on-demand ad hoc migration or demigration 
jobs. All files from any file server 10, however, must migrate 
into the same storage hierarchy. 

Far a system migration job, that is, the migration of data 3S 
from the file server 10, the user needs to indicate the 
files/directories that are candidates for migration. The selec- 
tion process can be tailored by the user according to various 
criteria. For example, parameter variables for data migration 
can include a date variable, predetermined filters, or water ^ 
marks which are based on the storage availability of a 
particular device. 

Hie date parameter variable provides for the migration of 
files from the file server 10 based on, for example, the date 
the file was last accessed, the date the file was last updated 45 
or the creation date of the file. The predetermined filter 
parameter variable provides for the migration of files from 
the file server 10 based on, for example, a pattern match for 
a file name, an attribute of the file (e.g. system file, read only 
file) or a predetermined file size. The water marks parameter 50 
variable provides for the migration of files from the file 
server 10 based on the amount of storage space available at 
a particular storage device. 

Using the water marks parameter, for example, the HSM 
system 2 could migrate files from the file server 10 to the 55 
secondary storage 20 when the storage space available at the 
file server 10 reached a critical water mark, at which point 
emergency migration would immediately occur in accor- 
dance with predetermined migration criteria to avoid a 
"volume fair' situation. Hies then would be migrated until 60 
the storage space available reached a high water mark (eg., 
a safe level). The high water mark is defined, for example, 
as a percentage of the utilized space on the file server 10. 
When the utilized space is below the critical water mark and 
above the high water mark, files will be migrated at a 65 
predetermined time, for example, on a least recently 
accessed basis until a low water mark is reached A low 



037 

6 

water mark is also defined, for example, as a percentage of 
the utilized space on the file server 10. When the utilized 
space is below the low water mark, no migration occurs 
from the file server 10. 

The parameters for identifying files to be migrated from 
the file server 10 can be combined as desired by the user. 
When the user sets up a system migration job, the user also 
can specify whether further migration is to be performed, 
e.g., from the secondary storage device 20 to the tertiary 
storage device 30. In addition, the user can specify the 
period of time the migrated rile must remain in a storage 
device before further migration is performed. 

When a file residing in the file server 10 is identified for 
migration into the storage hierarchy of the HSM system 2, 
the method according to the present invention illustrated by 
the flowchart of FIG. 2 is implemented. As shown in FIG. 2, 
the process is initiated in step SO when the migration engine 
11 generates a command to migrate a file from the file server 
10. In step SI, the file to be migrated is opened and the file 
is read in step S2. In step S3, a copy of the data blocks of 
the file to be migrated are transmitted to the secondary 
storage device 20. The stage migrator 21 returns a migration 
key to the migration engine 11 indicating the location of the 
migrated file. 

Once the file has been transmitted to the secondary 
storage device 20, the original file, which is still residing in 
the file server 10, is truncated in step S4. The truncation of 
the original file in step 4 deallocates the data blocks of the 
original file so that the data blocks become available for 
reallocation by the file server 10. At this point, the original 
file has a physical allocation of, for example, zero data 
blocks due to the deallocation in step S4. In addition, the 
actual properties of the original file have been stored by the 
migration engine 11. In step S5, the migration key is written 
into the original file, which is now a sparse file having a 
physical size allocation of, for example, one data block 
containing the migration key. Thus, the sparse file physical 
allocation is smaller than the logical size of the original file. 
In step S<5. the migration engine 11 defines the original file 
as having a logical size equal to the actual file size of the 
original file, thereby creating a sparse file having a physical 
size allocation of one block, but a logical size equal to the 
original file size. The migration process is completed in step 
S7 when the migration engine 11 exits the migration process. 

The conventional operation of sparse files is illustrated in 
FIGS. 4 A and 4B. A file having a logical size of n data blocks 
(blocks 0-n), only some of which include data, is shown in 
FIG. 4A. For example, data blocks 0, 4, 7, 10 and n are 
shown in FIG. 4A as including data. The file shown in FIG. 
4B is a sparse file that represents the file in FIG. 4A. The file 
in FIG. 4B has a physical size of, for example, five data 
blocks, representing only the occupied data blocks of FIG. 
4A. Thus, the sparse file provides a method for creating a file 
having a physical size that is much less than its logical size, 
thereby preventing wasted storage space on the file server 
10. 

To create the sparse file shown in FIG. 4B, the computer 
programmer provides specific commands when creating the 
file which are recognized by the LAN system 1 operating 
system. For example, the Novell® Netware® operating 
system version 3.x interprets the SEEK command to not 
allocate the data blocks between SEEK addresses. In con- 
trast, other operating systems treat the SEEK command as 
allocating the data blocks in between SEEK addresses. The 
steps shown below in Table I are exemplary of the steps that 
can be used to create the sparse file Illustrated in FIG. 4B: 



01/10/2004, EAST 



Version: 1.4.1 



5,564,037 



7 

TABLE I 

a) Open File 

b) Seek to data block 0 

c) Write data of data block 0 5 

d) Seek to data block 4 

e) Write data of data block 4 

f) Seek to data block 7 

g) Write data of data block 7 

h) Seek to data block 10 

0 Write data of data block 10 10 

j) Seek to data block n 

k) Write data of data block n 

1) Close file 



Accordingly, the steps shown in Table I are interpreted by 
the Novell® Netware® operating system version 3.x to only 
allocate the data blocks which are written to, thus creating 
a sparse file having only five data blocks, representing the 
occupied data blocks in 0, 4, 7, 10 and a The sparse file 
indicates its actual size but when accessed by the user, the 
file is provided to the user in the form shown in FIG. 4A, that 20 
is, having a physical size allocation equal to its logical size. 

In accordance with the present invention, the sparse tile 
feature, for example, the Novell® Netware® operating 
system versions 3.x sparse file feature, is used represent a ^ 
file that has been migrated from the file server 10 without 
including any of the occupied data blocks of the original file. 
Thus, as shown in FIG. 4C, a sparse file having only one data 
block but defined as having a logical size equal to the actual 
size of the file shown in FIG. 4A is generated by the method M 
according to the present invention. Hie dotted lines shown 
in FIG. 4C indicate the logical size of the file but for which 
no data blocks have been allocated. Table II shows exem- 
plary steps for the creation of the sparse file of FIG. 4C 

TABLE n 35 

a) Open file 

b) Write migration key 

c) Seek to actual original file 

d) Write "O" 

e) Close file. «> 



According to the present invention, the sparse file feature 
of the Novell® Netware® operating system is used mini- 
mize the physical allocation necessary to represent a 45 
migrated file on the file server 10 while retaining the actual 
properties of the original file. Accordingly, once the original 
file has been copied and sent to the secondary storage device 
20 and then truncated, the remaining file in the file server can 
be operated on by the exemplary steps described in Table II. 5Q 
Step b, which performs a SEEK operation to the actual file 
size, defines the sparse file as having a logical size equal to 
the physical size of the original file. The deallocation of the 
original file, however, reduces the physical size occupied by 
the sparse file in the file server 10. J5 

In addition to the steps shown in Table II, another set of 
exemplary steps for creating a sparse file according to the 
present invention is shown in Table HI 

TABLE m ^ 

a) Open file 

b) Write migration bey 

c) Change Size to actual file size 

d) Close file. 

™— 65 

The CHANGE SIZE operation can be used to define the 
logical size of the sparse file because following the deallo- 



s 

cation of the original file in the file server 10, there are no 
allocated data blocks which would be affected by the 
CHANGE SIZE operation. Therefore, the method according 
to the present invention uses a known operating system 
feature, a sparse file, to represent a migrated file in the file 
server 10, the sparse file having a minimal physical size 
while being defined as having the actual properties of the 
migrated file. 

Once a file has been migrated from the file server 10 into 
the HSM system 2, the file is retrieved via demigration to the 
file server 10. Demigration occurs, for example, when the 
user accesses a migrated file and the file server 10 requests 
the file via the migration engine 11. As shown in FIG. 3, the 
demigration process is initiated in step S10 when a migrated 
file is requested by the file server 10. 

In step S10A, the migration engine 11 reads the migration 
key information stored in the sparse file to determine the 
location of the migrated file. In step S10B, the migration 
engine 11 sends the migration key to the stage migrator 21. 
The stage migrator 21 uses the migration key to determine, 
in step S1CC, whether the requested file is located in the 
secondary storage device 20 or has been further migrated to 
the tertiary storage device 30. Once the file is located in step 
S10D, the file is sent to the file server 10 via the migration 
engine 11. In step Sll, the migration engine 11 reads the data 
of the requested file. 

After the data from the migrated file is read, the sparse file 
is opened in step S12 by the migration engine 11. In step 
S13, the contents of the original file retrieved from the HSM 
system 2 are loaded into the sparse file, converting the sparse 
file back to the original file having its original physical 
allocation. Thus, after step S13, the original file is again 
resident on the file server 10 in it original (e.g., pre- 
migration) form. In addition, the user was not aware that the 
directory entry on the file server 10 was actually a sparse file 
containing no actual data of the original file, but rather only 
limited descriptive information. Moreover, the demigration 
of the migrated file is automatic and transparent to the user. 

In step S14, the migration key information formerly 
stored in the sparse file, which now no longer exists in the 
file server 10 but exists in the storage hierarchy because only 
a copy of the original file is retrieved from the storage 
hierarchy, is stored, for example, in the Novell® Netware® 
operating system Extended Attribute (EA). If the retrieved 
file is not modified and is later identified for migration, the 
former migration key will be utilized to prevent unnecessary 
data transfer into the storage hierarchy, since the file is 
already stored in an external storage device. In this case, 
only a sparse file will be created in the file server 10. In step 
SI 5, the migration engine U exits the demigration process. 

What is claimed is: 

1. A method for migrating a data file in a networked 
computer system from a primary storage device to a sec- 
ondary storage device, the data file having a first actual size, 
comprising the steps of: 

transmitting the contents of the data file to the secondary 

storage device; 
truncating the data file; and 

generating a sparse file in the primary storage device 
having an apparent size equal to the first actual size and 
a second actual size less than the first actual size. 

2. The method according to claim L, further comprising 
the step of migrating the data from the secondary storage 
device to a tertiary storage device as a function of a 
predetermined storage hierarchy scheme. 

3. The method according to claim 1, wherein the net- 
worked computer system includes a Novell® NetWare® 
version 3.x operating system. 



01/10/2004, EAST Version: 1.4.1 



5,564,1 

9 

4. The method according to claim 1, further comprising 
the step of: 

storing a migration key in the sparse file. 

5. The method according to claim 1, wherein the step of 
generating the sparse file further includes the steps of: 5 

performing an open operation on the data file; 
performing a first write operation on the data file; 
performing a seek operation on the data file; 
performing a second write operation on the data file; and 10 
performing a close operation on the data file. 

6. The method according to claim 5, wherein the seek 
operation seeks to the first actual size. 

7. The method according to claim 5, wherein the first 
write operation writes a migration key into the data file. 15 

8. The method according to claim 1, wherein the step of 
generating the sparse file further includes the steps of: 

performing an open operation on the data file; 
performing a first write operation on the data file; ^ 
performing a change size operation on the data file; and 
performing a close operation on the data file. 

9. The method according to claim 8, wherein the change 
size operation changes size to the first actual size. 



10 

10. A system for migrating a data file in a networked 
computer system from a primary storage device, the data file 
having a first actual size, comprising: 

a migration engine coupled to the primary storage device; 
and 

a secondary storage device coupled to the migration 
engine; 

wherein the migration engine reads the data file, transmits 
the contents of the data file to the secondary storage 
device, and generates a sparse file in the primary 
storage device having an apparent size equal to the first 
actual size and having a second actual size less than the 
first actual size. 

11. The system according to claim 10, further comprising 
a tertiary storage device coupled to the secondary storage 
device for receiving a further migration of the data file as a 
function of a predetermined storage hierarchy scheme. 

12. The system according to claim 10, wherein the migra- 
tion engine stores a migration key in the sparse file. 

13. The system according to claim 10, wherein the net- 
worked computer system includes a Novell® NetWare® 
version 3.x operating system. 

***** 



01/10/2004, EAST Version: 1.4.1 



iiiniiiiiiiiiiiiiiiii 

US006658568B1 

(i2) United States Patent m Patent No.: us 6,658,568 bi 

Ginter et al. (45) Date of Patent: Dec. 2, 2003 



(54) TRUSTED INFRASTRUCTURE SUPPORT 
SYSTEM, METHODS AND TECHNIQUES 
FOR SECURE ELECTRONIC COMMERCE 
TRANSACTION AND RIGHTS 
MANAGEMENT 

(75) Inventors: Karl L. Ginter, Beltsville, MD (US); 

Victor H. Shear, Bcthesda, MD (US); 
Francis J. Spahn, El Cerrito, CA (US); 
David M. Van Wie, Sunnyvale, CA 
(US); Robert P. Weber, Menlo Park, 
CA(US) 

(73) Assignee: Intertrust Technologies Corporation, 
Santa Clara, CA (US) 

( * ) Notice: Subject to any disclaimer, the term of this 
patent is extended or adjusted under 35 
U.S.C. 154(b) by 0 days. 

(21) Appl. No.: 09/426,764 

(22) Filed: Oct. 26, 1999 

Related U.S. Application Data 

(63) Cont inuatio n - in -part of appl ication No. 08/388, 107, filed on 
Feb. 13, 1995, now abandoned. 

(51) Int. CI. 7 G06F 12/14; G06F 17/30; 

H04L 9/32 

(52) U.S. CI 713/193; 713/155; 713/165; 

380/231; 380/233; 705/51; 705/52; 705/53; 

705/59; 707/9; 707/10 

(58) Field of Search 713/153, 154, 

713/155, 160, 162, 163, 165, 189, 190, 
193, 194, 200, 201; 380/230, 231, 233; 
705/39, 51, 52, 53, 59; 707/9, 10; 709/225, 
226; 711/163, 164 

(56) References Cited 

U.S. PATENT DOCUMENTS 



3,573,747 A 
3,609,697 A 



4/1971 Adams et al 340/172.5 

9/1971 Blevins 340/172.5 



3,796,830 A 3/1974 Smith 178/22 

3.798.359 A 3/1974 Feistel 178/22 

3.798.360 A 3/1974 Feistel 178/22 

3,798,605 A 3/1974 Feistel 340/172.5 

3,806,882 A 4/1974 Clarke 340/172.5 

3,829,833 A a/1974 Freeny, Jr. 340/149 R 

3,906,448 A 9/1975 Henriques 340/149 A 

(List continued on next page.) 

FOREIGN PATENT DOCUMENTS 

BE 9 004 79 A 12/1984 GUB/0/00 

BE 62-241061 A 12/1984 G06F/1^00 

DE 3803982 Al 1/1990 G06F/12/14 

EP 0 084 441 A2 7/1983 G06F/13/00 

EP 0 128 672 Al 12/1984 G06F/13/00 

EP 0 135 422 Al 3/1985 G06F/9/00 

EP 0 180 460 Al 5/1986 H04N/7/16 

EP 0 370 146 Al 11/1988 G06F/15/21 

EP 0 398 645 A2 11/1990 G06F/15/40 

(List continued on next page.) 

OTHER PUBLICATIONS 

Olin Sibert et al., DigiBox: A Self-Protecting Container for 
Information Commerce, Proceedings of the First USENIX 
Workshop on Electronic Commerce, New York, NY, Jul. 
1995, 9 pages. 

Olin Sibert et al., Securing the Content, Not the Wire, for 
Information Commerce, InterTrust Technologies Corpora- 
tion, 1996, 12 pages. 

(List continued on next page.) 

Primary Examiner — Justin T. D arrow 

(74) Attorney, Agent, or Firm — Finnegan, Henderson, 

Farabow, Garrett & Dunner LLP 

(57) ABSTRACT 

The present invention provides methods and systems for 
secure, automated transaction processing for use in elec- 
tronic commerce and el ectronic rights and transaction man- 
agement over an electronic network such as the Internet 
and/or over organization internal Intranets. One exemplary 
system involves rule-based specification and selection of 
clearinghouses, and rule-based specification of u ser restric - 
tions on the use of id entification information. 

21 Claims, 99 Drawing Sheets 




01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

Page 2 



U.S. PATENT DOCUMENTS 



3,911^97 A 10/1975 Freeoy, Jr. 340/147 MD 

3,924,065 A 12/1975 Freeny, Jr. US/66 R 

3,931,504 A 1/1976 Jacoby 235/153 R 

3,946,220 A 3/1976 Brobeck et al 235/168 

3,956,615 A 5/1976 Anderson et al 235/61.7 B 

3,958,081 A 5/1976 Ehrsam et al 178/22 

3,970,992 A 7/1976 Boothroyd et al 340A72.5 

4,048,619 A 9/1977 Forman et al 340/154 

4,071,911 A 1/1978 Mazur 364/800 

4,112,421 A 9/1978 Freeny, Jr. 343/112 

4,120,030 A 10/1978 Johnstone 364/200 

4,163,280 A 7/1979 Mori et al 364/200 

4,168,396 A 9/1979 Best 178/22 

4,196^10 A 4/1980 Forman et al 178/22 

4,200,913 A 4/1980 Kuhar et al 364/900 

4,209,787 A 6/1980 Freeny, Jr. 343/112 R 

4,217,588 A 8/1980 Freeny, Jr. 343/112 D 

4,220,991 A 9/1980 Hamano et al 364/405 

4,232,193 A 11/1980 Gerard 179/1.5 R 

4,232,317 A 11/1980 Freeny 343/112 R 

4,236,217 A 11/1980 Kennedy 364/483 

4,253,157 A 2/1981 Kirschner et al 364/900 

4,262^29 A 4/1981 Bright el al 364/200 

4,265,371 A 5/1981 Desai et al 222/70 

4,270,182 A 5/1981 Asija 364/900 

4,278,837 A 7/1981 Best 178/22.09 

4305,131 A 12/1981 Best 364/521 

4306,289 A 12/1981 Lumley 364/200 

4309369 A 1/1982 Merkle 178/22.08 

4319,079 A 3/1982 Best 178/22.09 

4323,921 A 4/1982 Guillou 353/114 

4328344 A 5/1982 Baldwin et al 364/405 

4337,483 A 6/1982 Guillou 355/114 

4361,877 A 11/1982 Dyer et al 364/900 

4375379 A 3/1983 Davida et al 178/22.1 

4,433,207 A 2/1984 Best 178/22.09 

4,434,464 A 2/1984 Suzuki et al 364/200 

4,442,486 A 4/1984 Mayer 364/200 

4,446319 A 5/1984 Thomas 364/300 

4,454394 A 6/1984 Heffron et al 364/900 

4,458315 A 7/1984 Uchenick 364/200 

4,462,076 A 7/1984 Smith, III 364/200 

4,462,078 A 7/1984 Ross 364/300 

4,465,901 A 8/1984 Best 178/22.08 

4,471,163 A 9/1984 Donald et al 178/22.08 

4,484,217 A 11/1984 Block et al 358/84 

4,494,156 A 1/1985 Kadison et al 360/48 

4313,174 A 4/1985 Herman 178/22.08 

4328388 A 7/1985 Lofberg 358/122 

4328,643 A 7/1985 Freeny 364/900 

4353,252 A 11/1985 Egendorf 377/15 

4358,176 A 12/1985 Arnold et al 178/22.08 

4358,413 A 12/1985 Schmidt et al 364/300 

4362306 A 12/1985 Chou et al 178/22.08 

4362,495 A 12/1985 Bond et al 360/78 

4377,289 A 3/1986 Comerford et al 364/900 

4384,641 A 4/1986 GugUelmino 364/200 

4388,991 A 5/1986 Alalia 340/825.31 

4389,064 A 5/1986 Chiba et al 364/200 

4393,183 A 6/1986 Fukatsu 34Q/825.31 

4393353 A 6/1986 Pickholtz 364/200 

4393376 A 6/1986 Volk 364/900 

4395,950 A 6/1986 Lofberg 358/122 

4397,058 A 6/1986 Izumi et al 364/900 

4,634,807 A 1/1987 Chorley et al 178/22.08 

4,644,493 A 2/1987 Chandra et al 364/900 

4,646,234 A 2/1987 Tolman et al 364/200 

4,652,990 A 3/1987 Pailen et al 364/200 

4,658,093 A 4/1987 Hellman 380/25 

4,670,857 A 6/1987 Rackman 380/4 



4,672372 A 6/1987 Alsberg 364/900 

4,677,434 A 6/1987 Fascenda 380/23 

4,680,731 A 7/1987 Izumi et al 364/900 

4,683353 A 7/1987 Mollier 380/4 

4,685,056 A 8/1987 Barnsdale et al 364/200 

4,688,169 A &V1987 Joshi 364/200 

4,691350 A 9/1987 Kleijne et al 380/3 

4,696,034 A 9/1987 Wiedemer 380/16 

4,701,846 A 10/1987 Ikeda et al 364/200 

4,712,238 A 12/1987 Gflhousen et al 380/20 

4,713,753 A 12/1987 Boebert et al 364/200 

4,740,890 A 4/1988 William 364/200 

4.747.139 A 5/1988 Taaffe 380/44 

4.757333 A 7/1988 Allen et al 380/25 

4.757334 A 7/1988 Matyas et al 380/25 

4,757,914 A 7/1988 Roth et al. . .220/359 

4,768,087 A 8/1988 Taub et al 358/84 

4,791365 A 12/1988 Dunham et al 364/200 

4,796,181 A 1/1989 Wiedemer 364/406 

4,799,156 A 1/1989 Shavit 364/401 

4,807,288 A 2/1989 Ugon et al 380/30 

4.817.140 A 3/1989 Chandra et al 380/4 

4,823,264 A 4/1989 Deming 364/408 

4,827308 A 5/1989 Shear 380/4 

4.858.121 A 8/1989 Barber et al 364/406 

4,864,494 A 9/1989 Kobus 364/200 

4,868,877 A 9/1989 Fischer 38Q/25 

4,903,296 A 2/1990 Chandra et al 380/4 

4,924378 A 5/1990 Hershey et al 364/200 

4,930,073 A 5/1990 Cina 364/300 

4,949,187 A 8/1990 Cohen 358/335 

4,977394 A 12/1990 Shear 380/4 

4,999,806 A 3/1991 Chernow et al 364/900 

5,001,752 A 3/1991 Fischer 380/23 

5.005.122 A 4/1991 Griffin et al 364/200 

5,005,200 A 4/1991 Fischer 380/30 

5,010371 A 4/1991 Katznelson 380/4 

5,023,907 A 6/1991 Johnson et al 380/4 

5,047,928 A 9/1991 Wiedemer 364/406 

5,048,085 A 9/1991 Abraham et al 380/23 

5,05033 A 9/1991 Shear 380/25 

5,091,966 A 2/1992 Bloomberg et aL 382/21 

5,103392 A 4/1992 Mori 395/725 

5,103,476 A 4/1992 Waite et aL 380/4 

5,111390 A 5/1992 Ketcham 395/725 

5,119,493 A 6/1992 Janis et al 395/650 

5,126,936 A 6/1992 Champion et al 364/408 

5,128325 A 7/1992 Stearns et al 235/454 

5,136,643 A 8/1992 Fischer 380/23 

5.136.646 A 8/1992 Haber et al 38Q/49 

5.136.647 A &V1992 Haber et al 380/49 

5.136.716 A 8/1992 Harvey et al 395/800 

5,146375 A 9/1992 Nolan 395/425 

5,148,481 A 9/1992 Abraham et al 380/46 

5,155,680 A 10/1992 Wiedemer 364/406 

5,163,091 A 11/1992 GTaziano 380/25 

5,168,147 A 12/1992 Bloomberg 235/456 

5.185.717 A 2/1993 Mori 365/52 

5,187,787 A 2/1993 Skeen et al 395/800 

5.201.046 A 4/1993 Goldberg et al 395/600 

5.201.047 A 4/1993 Maki et al 395/600 

5,208,748 A 5/1993 Flores et al 364/419 

5,214,702 A 5/1993 Fischer 38Q/30 

5,216,603 A 6/1993 Flores et al 364/419 

5,221,833 A 6/1993 Hecht 235/494 

5,222,134 A 6/1993 Waite et al 380/4 

5,224,160 A 6/1993 Paulini et al 380/4 

5,224,163 A 6/1993 Gasser et al 38Q/30 

5,235,642 A 8/1993 Wobber et al 380/25 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

Page 3 



5,241,671 A #1993 Reed et al 395/600 

5,245,165 A 9/1993 Zhang 235/454 

5,247,575 A 9/1993 Sprague et al 380/9 

5,257,369 A 10/1993 Skeen et al 395/200 

5,260,999 A 11/1993 Wyman 380/4 

5,263,158 A 11/1993 Janis 395/600 

5,265,164 A 11/1993 Matyas et al ; 380/30 

5,276,735 A 1/1994 Boebert et al 380/21 

5,280,479 A 1/1994 Mary 370/85.6 

535,494 A 2/1994 Sprecher et al 379/59 

5,301,231 A 4/1994 Abraham et al 380/4 

5,311,591 A 5/1994 Fischer 380/4 

5,319,705 A 6/1994 Halter et al 380/4 

5,319,785 A 6/1994 Thaller 395/725 

5,335,169 A 8/1994 Chong 364/408 

5,337,360 A 8/1994 Fischer ; 380/23 

5,341,429 A 8/1994 Stringer et al 380/23 

5,343,527 A 8/1994 Moore et al 380/4 

5,347,579 A 9/1994 Blandford 380/25 

5,351,293 A 9/1994 Michener et al 380/21 

5,355,474 A 10/1994 Thuraisngham et al 395/600 

5,373,440 A 12/1994 Cohen et al 364/410 

5,373,561 A 12/1994 Haber et al 380/49 

5,388,211 A 2/1995 Hornbudde 395/200 

5,390,247 A 2/1995 Fischer 380/25 

5,390,330 A 2/1995 Talati 395/700 

5,392,220 A 2/1995 van den Hamer et al. .. 364/488 

5,392,390 A 2/1995 Crozier 395/161 

5,394,469 A 2/1995 Nagel et al 380/4 

5,410,598 A 4/1995 Shear 380/4 

5,412,717 A 5/1995 Fischer 380/4 

5,418,713 A 5/1995 Allen 364/403 

5,421,006 A 5/1995 Jablon 395/575 

5,422,953 A 6/1995 Fischer 380/23 

5,428,606 A 6/1995 Moskowitz 370/60 

5,432,950 A 7/1995 Sibigtroth 395/425 

5.438.508 A 8/1995 Wyman 364/401 

5,442,645 A 8/1995 Ugon 371/25.1 

5,444,779 A 8/1995 Daniele 380/3 

5.449.895 A 9/1995 Hecht et al 235/494 

5.449.896 A 9/1995 Hecht et al 235/494 

5.450.493 A 9/1995 Maher 380/30 

5,453,601 A 9/1995 Rosen 235/379 

5,453,605 A 9/1995 Hecht et al 235/494 

5,455,407 A 10/1995 Rosen 235/380 

5,455,861 A 10/1995 Faucher et al 380/9 

5,455,953 A 10/1995 Russell 395/739 

5,457,746 A 10/1995 Dolphin 380/4 

5.458.494 A 10/1995 Krohn et al 434/336 

5,463,565 A 10/1995 Cookson et al 364/514 R 

5,473,687 A 12/1995 Lipscomb et al 380/4 

5,473,692 A 12/1995 Davis 380/25 

5.479.509 A 12/1995 Ugon 380/23 

5,485,622 A 1/1996 Yamaki 395/186 

5,491,800 A 2/1996 Goldsmith et al 395/200.12 

5,497,479 A 3/1996 Hornbudde 395/491 

5,497,491 A 3/1996 Mitchell et al 395/700 

5,499,298 A 3/1996 Narasimhalu et al 380/25 

5,504,757 A 4/1996 Cook et al 370/84 

5,504,818 A 4/1996 Okano 380/49 

5,504,837 A 4/1996 Griffeth et al 395/11 

5,508,913 A 4/1996 Yamamoto et al 364/408 

5,509,070 A 4/1996 Schull 380/4 

5,513,261 A 4/1996 Maher 380/23 

5,517,518 A 5/1996 Morson et al 375/200 

5,530,235 A 6/1996 Stefik et al 235/482 

5,530,752 A 6/1996 Rubin 380/4 

5,533,123 A 7/1996 Force et al 380/4 

5,534,975 A 7/1996 Stefik et al 355/202 

5,535,322 A 7/1996 Hecht 395/155 

5,537,526 A 7/1996 Anderson et al 395/148 



5,539,735 A 7/1996 Moskowitz 37Q/60 

5,539,828 A 7/1996 Davis 380/50 

5,550,971 A 8/1996 Brunner et al 395/161 

5,553,282 A 9/1996 Parrish et al 395/600 

5,557,518 A 9/1996 Rosen 364/408 

5,557,798 A 9/1996 Skeen et al 395/650 

5,563,946 A 10/1996 Cooper et al 380/4 

5,568,552 A 10/1996 Davis 380/4 

5,572,673 A 11/1996 Shurts 395/186 

5,592,549 A 1/1997 Nagel et al 380/4 

5,606,609 A 2/1997 Houser et al 380/4 

5,613,004 A 3/1997 Cooperman et al 380/28 

5,621,797 A 4/1997 Rosen 380/24 

5,629,980 A 5/1997 Stefik et al 380/4 

5,633,932 A 5/1997 Davis et al 380/25 

5,634,012 A 5/1997 Stefik et al 395/239 

5,636,276 A 6/1997 Bruggcr et al. '380/4 

5,636,292 A 6/1997 Rhoads 382/232 

5,638,443 A 6/1997 Stefik 380/4 

5,638,504 A 6/1997 Scott et al 395/7.61 

5,640,546 A 6/1997 Gopinath et al 395/551 

5,655,077 A 8/1997 Jones et al 395/187.01 

5,687,236 A 11/1997 Moskowitz et al 380/28 

5,689,587 A 11/1997 Bender et al 382/232 

5.692.180 A 11/1997 Lee 395/610 

5,710,834 A 1/1998 Rhoads 382/232 

5,715,403 A 2/1998 Stefik 395/244 

5,717,923 A 2/1998 Dedrick 395/613 

5.724.425 A 3/1998 Chang 380/25 

5,732,398 A 3/1998 Tagawa 705/5 

5,740,549 A 4/1998 Reilly et al 380/14 

5,745,569 A 4/1998 Moskowitz et aL 380/4 

5,745,604 A 4/1998 Rhoads 382/232 

5,748,763 A 5/1998 Rhoads 382/115 

5,748,783 A 5/1998 Rhoads 382/232 

5,748,960 A 5/1998 Fischer 395/683 

5,754,849 A 5/1998 Dyer et al. 395/612 

5,757,914 A 5/1998 McManis 380/23 

5,758,152 A 5/1998 LeTourneau 395/613 

5,765,152 A 6/1998 Erickson 707/9 

5.768.426 A 6/1998 Rhoads 382/232 

5,774,872 A 6/1998 Golden et al 705/19 

5,819,263 A 10/1998 Bromley et al 707/3 

5,842,173 A 11/1998 Strum et al 1 705/1 

5,892,900 A 4/1999 Ginter et al 395/186 

5,896,454 A 4/1999 Cookson et al 380/5 

5,910,987 A 6/1999 Ginter et al 380/24 

5,920,861 A 7/1999 Hall et al 707/9 

5,940,504 A 8/1999 Griswold 380/4 

5,943,422 A 8/1999 Van Wie et al 380/9 

5,949,876 A 9/1999 Ginter et al 380/4 

5,982,891 A 11/1999 Ginter et al 380/4 

5,999,949 A 12/1999 Crandall 707/532 

6.112.181 A 8/2000 Shear et al 705A 

6,138,119 A 10/2000 Hall et al 707/9 

6,157,721 A 12/2000 Shear et aL 380/255 

6,185,683 Bl 2/2001 Ginter et al 713/176 

6,237,786 Bl 5/2001 Ginter et al 213/153 

6,240,185 Bl 5/2001 Van Wie et al 380/232 

6,292^69 Bl 9/2001 Shear et aL 380/255 

FOREIGN PATENT DOCUMENTS 

EP 0 399 822 A2 HP 11/1990 G06F/9/44 

EP 0 421 409 A2 4/1991 G07F/7/10 

EP 0 456 386 A2 11/1991 G06F/1/00 

EP 0 469 864 A2 A3 2/1992 G06K/1/12 

EP 0 565 314 A2 10/1993 GO6F/15/20 

EP 0 570 123 Al 11/1993 G06F/12/14 

EP 0 593 305 A2 4/1994 G11B/23/20 

EP 0 651 554 Al 5/1995 GO6F/V0O 

EP 0 668 695 A2 A3 8/1995 G11B/20/00 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

Page 4 



EP 0 695 985 Al 2/1996 G06F/1/10 

EP 0 696 798 Al 2/1996 G11B/20/12 

EP 0 714 204 A2 5/1996 H04N/5/913 

EP 0 715 243 Al 6/1996 GO6F/1/00 

EP 0 715 244 Al 6/1996 GO6F/1/00 

EP 0 715 245 Al 6/1996 G06F/1/00 

EP 0 715 246 Al 6/1996 G06F/1/D0 

EP 0 715 247 Al 6/1996 G06F/1/00 

EP 0 725 376 A2 8/1996 GO7F/19/D0 

EP 0 763 936 A2 9/1996 H04N/5/913 

EP 0 749 081 Al 12/1996 G06F/17/60 

EP 0 778 513 A2 6/1997 GO6F/1/D0 

EP 0 795 873 A2 9/1997 G11B/27/30 

EP 0 800 312 Al 10/1997 H04N/5/91 

GB A2136175 A 9/1984 H03K/13/24 

GB 2264796 A(I BM 9/1993 G06F/9/46 

GB 2294348 A 4/1996 G07F/17/32 

GB 2295947 A 6/1996 H04N/7/167 

JP 57-756 A 5/1982 G06F/1/00 

JP 62-225059 A 8/1987 H04NA/00 

JP 62-241061 A 10/1987 G06F/15/16 

JP 01-68835 A 3/1989 G06F/9/06 

JP 01-068835 A 3/1989 GO6F/9/06 

JP 02-242352 A 9/1990 GO6F/12/00 

JP 02-247763 A 10/1990 G06F/15/00 

JP 02-294855 A 12/1990 GO6F/12/00 

JP 04-369068 A 12/1992 GO6F/15/0O 

JP 05-181734 A 7/1993 GO6F/12/00 

JP 05-257783 A 10/1993 GO6F/12/00 

JP 05-268415 A 10/1993 H04NA/04 

JP 06-175794 A 6/1994 G06F/3/12 

JP 06-215010 A 8/1994 G06F/15/21 

JP 07-056794 A 3/1995 GO6F/12/00 

JP 07-084852 A 3/1995 GO6F/12/0O 

JP 07-141138 A 6/1995 G06F/3/14 

JP 07-200317 A 8/1995 G06F/9/46 

JP 07-200492 A 8/1995 G06F/15/16 

JP 07-244639 A 9/1995 GO6F/15/00 

JP 08-137795 A 5/1996 GO6F/15/00 

JP 08-152990 A 6/1996 G06F/3/14 

JP 08-185292 A 7fl996 G06F/3/14 

JP 08-185298 A 7/1996 G06F/3/14 

WO WO 85/02310 A 5/1985 G01F/1/00 

WO WO 85/03584 A 8/1985 G06F/11/30 

WO WO 90/02382 Al 3A990 GO6K/5/00 

WO WO 92/06438 Al 4/1992 G06F/15/22 

WO WO 92/22870 Al 12/1992 G06F/15/16 

WO WO 93/01550 Al 1/1993 G06F/11/34 

WO WO 94/01821 Al 1/1994 G06F/12/14 

WO WO 94/03859 Al 2A994 G06F/13/14 

WO WO 94/06103 Al 3/1994 G07F/7/10 

WO WO 94/16395 Al 7/1994 G06F/15/21 

WO WO 94/18620 Al 8/1994 G06F/7/06 

WO WO 94/22266 A2 9/1994 H04N/5/91 

WO WO 94/27406 A3 11/1994 H04N/5/91 

WO WO 95/14289 A2 5/1995 G06K/19/14 

WO WO 96/00963 Al V1996 G11B/20/00 

WO WO 96/03835 A2 2/1996 H04N/5/913 

WO WO 96/05698 Al 2/1996 H04N/5/913 

WO WO 96/06503 Al 2/1996 H04N/7/08 

WO WO 96/13013 Al 5/1996 GO6F/17/60 

WO WO 96/21192 Al 7/1996 G06F/17/60 

WO WO 96/24092 A2 8/1996 G06F/1/00 

WO WO 97/03423 Al 1/1997 G07F/19/00 

WO WO 97/07656 A2 3/1997 G06F/15/00 

WO WO 97/25816 Al 7/1997 H04N/5/76 

WO WO 97/32251 Al 9A997 GO6F/11/00 

WO WO 97/48203 Al 12/1997 H04K/1/00 



OTHER PUBLICATIONS 

David Amcke and Donna Cunningham, Document from the 
Internet: AT&T encryption system protects information ser- 
vices, (News Release), Jan. 9, 1995, 1 page. 
Claude Baggett, Cable's Emerging Role in the Information 
Superhighway, Cable Labs, (undated), 13 slides. 
Theodore Sedgwick Barassi, Document from Internet: The 
Cybernotary: Public Key Registration and Certification and 
Authentication of International Legal Transactions, 
(undated), 4 pages. 

Hugh Barnes, memo to Henry LaMuth, subject: George 
Gilder articles, May 31, 1994, 2 pages. 
Comments in the Matter of Public Hearing and Request for 
Comments on the International Aspects of \ the National 
Information Infrastructure, Before the Department of Com- 
merce, Aug. 12, 1994, pp. 1-15 (comments of Dan Bart). 
Michael Baum, "Worldwide Electronic Commerce: Law, 
Policy and Controls Conference** Nov. 11, 1993, 18 pages. 
Robert M. Best, Preventing Software Piracy with Cryp- 
to-Microprocessors, Digest of Papers, VLSI: New Archi- 
tectural Horizons, Feb. 1980, pp. 466-469. 
Richard L. Bisbey, II and Gerald J. Popek, Encapsulation: 
An Approach to Operating System Security, (US Conforma- 
tion Science Institute, Marina Del Rey, CA) Oct. 1973, pp. 
666-675. 

Rolf Blom, Robert Forchheimer, et al., Encryption Methods 
in Data Networks, Ericsson Technics, No. 2, Stockholm, 
Sweden, 1978. 

Rick E. Bruner, Document from the Internet: PowerAgent, 
NetBot help advertisers reach Internet shoppers, Aug. 1997, 
3 pages. 

Denise Caruso, Technology, Digital Commerce: 2 plans for 
watermarks, which can bind proof of authorship to elec- 
tronic works, N.Y. Times, Aug. 7, 1995, p. D5. 
A.K. Choudhury, N. F. Maxemchuck, et al., Copyright 
Protection for Electronic Publishing Over Computer Net- 
works, (AT&T Bell Laboratories, Murray Hill, N. J.) Jun. 

1994, 17 pages. 

Tun Clark, Ad service gives cash back. Document from the 
Internet: <www.news.com./News/Item/0,4,13050,00.html> 
(visited Aug. 4, 1997), 2 pages. 

Frederick B. Cohen, Operating System Protection Through 
Program Evolution, 8246 Computers & Security, No. 6, 
(Oxford, Great Britain) Oct. 1993, pp. 565-584. 
Donna Cunningham, David Arneke, et al., Document from 
the Internet: AT&T, VLSI Technology join to improve info 
highway security, (News Release) Jan. 31, 1995, 3 pages. 
Lorcan Dempsey and Stuart Weibel, The Warwick Metadata 
Workshop: A Framework for the Deployment of Resource 
Description, D-Lib Magazine, Jul. 15, 1996. 
Dorothy E. Denning and Peter J. Denning, Data Security, 11 
Computing Surveys No. 3, Sep. 1979, pp. 227-249. 
Whitfield Dime and Martin E. Hellman, New Directions in 
Cryptography, IEEE Transactions on Information Theory, 
vol. 22, No. 6, Nov. 1976, pp. 644-651. 
Whitfield Diffie and Martin E. Hellman, Privacy and 
Authentication: An Introduction to Cryptography, Proceed- 
ings of the IEEE, vol. 67, No. 3, Mar. 1979, pp. 397-^27. 
Stephen R. Dusse and Burton S. Kaliski, A Cryptographic 
Library for the Motorola 56000, Advances in Cryptology — 
Proceedings of Eurocrypt 90, (I.M. Damgard, ed., Spring- 
er-Verlag) 1991, pp. 230-244. 

Esther Dyson, Intellectual Value, WIRED Magazine, Jul. 

1995, pp. 136-141 and 182-183. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

Page 5 



Science, space and technology, Hearing before Subcomm. 
on Technology, Environment, and Aviation, May 26, 1994 
(testimony of D. Linda Garcia). 

James Gleick, Dead as a Dollar, The New York Times 
Magazine, Jun. 16, 1996, Sect. 6, pp. 26-30, 35, 42, 50, 54. 
Fred Greguras, Document from Internet: Softie Symposium 
'95, Copyright Clearances and Moral Rights, Dec. 11, 1995, 
3 pages. 

Louis C. Guillou, Smart Cards and Conditional Access, 
Advances in Cryptography — Proceedings of EuroCrypt 84 
(T. Beth et al, Ed., Springer-Verlag, 1985) pp. 48(M90. 
Harry H. Harman, Modern Factor Analysis, Third Edition 
Revised, University of Chicago Press, Chicago and London, 
1976. 

Amir Herzberg and Shlomit S. Pinter, Public Protection of 
Software, ACM Transactions on Computer Systems, vol. 5, 
No. 4, Nov. 1987, pp. 371-393. 

Jud Hofmann, Interfacing the Nil to User Homes, (Con- 
sumer Electronic Bus. Committee) NIST, Jul. 1994, 12 
slides. 

Jud Hofimann, Interfacing the Nil to User Homes, Electronic 
Industries Association, (Consumer Electronic Bus Commit- 
tee) (undated), 14 slides. 

Stannie Holt, Document from the Internet: Start-up prom- 
ises user confidentiality in Web marketing service, Info- 
World Electric News (updated Aug. 13, 1997). 
Jay J. Jiang and David W. Conrath, A Concept-based 
Approach to Retrieval from an Electronic Industrial Direc- 
tory, International Journal of Electronic Commerce, vol. 1, 
No. 1 (Fall 1996) pp. 51-72. 

Debra Jones, Document from the Internet Top Tech Stories, 
Power Agent Introduces First Internet Informediary' to 
Empower and Protect Consumers, (updated Aug. 13, 1997) 
3 pages. 

Kevin Kelly, E-Money, Whole Earth Review, Summer 

1993, pp. 40-59. 

Stephen Thomas Kent, Protecting Externally Supplied Soft- 
ware in Small Computers, (MIT/LCS/TR-255) Sep. 1980 
254 pages. 

David M. Kristol, Steven H. Low and Nicholas F. Maxem- 
chuk, Anonymous Internet Mercantile Protocol, (AT&T Bell 
Laboratories, Murray Hill, NJ) Draft: Mar. 17, 1994. 
Carl Lagoze, The Warwick Framework, A Container Archi- 
tecture for Diverse Sets of Metadata, D-lib Magazine, 
JulVAug. 1996. 

Mike Lanza, e-mail, George Gilder's Fifth Article— Digital 

Darkhorse— Newspapers, Feb. 21, 1994. 

Steven Levy, E-Money, That's What I want, WIRED, Dec. 

1994, 10 pages. 

Steven H. Low and Nicholas F. Maxemchuk, Anonymous 
Credit Cards, AT&T Bell Laboratories, Proceedings of the 
2 nd ACM Conference on Computer and Communication 
Security, Fairfax, VA, Nov. 2-4, 1994, 10 pages. 
Steven H. Low, Nicholas F. Maxemchuk, and Sanjoy Paul, 
Anonymous Credit Cards and its Collusion Analysis (AT&T 
Bell Laboratories, Murray Hill, NJ.) Oct. 10, 1994, 18 
pages. 

S. H. Low, N.F Maxemchuk, et al., Document Marking and 
Identificaton using both Line and word Shifting (AT&T Bell 
Laboratories, Murray Hill, NJ.) Jul. 29, 1994, 22 pages. 
Malcolm Maclachlan, Document from the Internet: Power- 
Agent Debuts Spam-Free Marketing, TechWire, Aug. 13, 
1997, 3 pages. 



N.F. Maxemchuk, Electronic Document Distribution, 
(AT&T Bell Laboratories, Murray Hill, NJ.) (undated). 
Eric Milbrandt, Document from the Internet: Steganography 
Info and Archive, 1996, 2 pages. 

Ryoichi Mori and Masaji Kawahara, Superdistribution: The 
Concept and the Architecture, The Transactions of the 
EIE1CE, V, E73, No. 7, Tokyo, Japan, Jul. 1990. 
Walter S. Mossberg, Personal Technology, Threats to Pri- 
vacy On-Line Become More Worrisome, The Wall Street 
Journal, Oct. 24, 1996. 

Nicholas Negroponte, Some Thoughts on Likely and 
Expected Communications Scenarios: A Rebuttal, Telecom- 
munications, Jan. 1993, pp. 41—42. 

Nicholas Negroponte, Electronic Word of Mouth, WIRED, 
Oct. 1996, p. 218. 

Peter G. Neumann, Robert S. Boyer, et al., A Provably 
Secure Operating System: The System, Its Applications, and 
Proofs, Computer Science Laboratory Report CSL-116, 
Second Edition, SRI International, Jun. 1980. 
Joseph N. Pelton (Dr.), Why Nicholas Negroponte is Wrong 
About the Future of Telecommunication, Telecommunica- 
tions, Jan. 1993, pp. 35-40. 

Gordon Rankine (Dr.), THOMAS— A Complete Single-Chip 
RSA Device, Advances in Cryptography, Proceedings of 
CRYPTO 86, (A.M. Odiyzko Ed, Springer-Verlag) 1987, 
pp. 480-487. 

Arthur K. Reilly, Input to the 'International Telecommuni- 
cations Hearings, 'Panel 1: Component Technologies of the 
NII/GII, Standards Committee Tl-Telecommunications 
(undated). 

Paul Resnick and Hal R. Varion, Recommender Systems, 
Communications of the ACM, vol. 40, No. 3, Mar. 1997, pp. 
56-89. 

Lance Rose, Cyberspace and the Legal Matrix: Laws or 
Confusion"}, 1991. 

Steve Rosenthal, Interactive Network: Viewers Get 
Involved, New Media, Dec. 1992, pp. 30-31. 
Steve Rosenthal, Interactive TV: The Gold Rush is on, New 
Media, Dec. 1992, pp. 27-29. 

Steve Rosenthal, Mega Channels, New Media, Sep. 1993, 
pp. 36-46. 

Edward Rothstein, Technology, Connections, Making the 
Internet come to you through 'push* technology, N. Y Times, 
Jan. 20, 1997, p. D5. 

Ken Rutkowski, Document from Internet: PowerAgent 
Introduces First Internet 'Informediary' to Empower and 
Protect Consumers, Tech Talk News Story, Aug. 4, 1997, 1 
page. 

Ira Sager (Edited by), Bits & Bytes, Business Week, Sep. 23, 
1996, p. 142E. 

Schlosstein, Steven, America: The G7's Comeback Kid, 

International Economy, Jun./Jul. 1993, 5 pages. 

Ingrid Scnaumueller-Bichl and Ernst Piller, A Method of 

Software Protection Based on the Use of Smart Cards and 

Cryptographic Techniques, (undated), 9 pages. 

Jurgen Schurmann, Pattern Classification, A Unified View of 

Statistical and Neural Approaches, John Wiley & Sons, Inc., 

1996. 

Victor Shear, Solutions for CD-ROM Pricing and Data 
Security Problems, CD ROM Yearbook 1988-1989 
(Microsoft Press 1988 or 1989) pp. 530-533. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

Page 6 



Karl Siuda, Security Services in Telecommunications Net- 
works, Seminar: Mapping New Applications Onto New 
Technologies, edited by B. Plattner and P Gunzburger; 
Zurich, Mar. 8-10, 1988, pp. 45-52, XP000215989. 
Sean Smith and J.D. Tygar, Signed Vector Timestamps: A 
Secure Protocol for Partial Order Time, CMU-93-116, 
School of Computer Science Carnegie Mellon University, 
Pittsburgh, Pennsylvania, Oct 1991; version of Feb. 1993, 
15 pages. 

Mark Stefik, Letting Loose the Light: Igniting Commerce in 
Electronic Publication, (Xerox PARC, Palo Alto, CA) 
1994-1995, 35 pages. 

Mark Stefik, Letting Loose the Light: Igniting Commerce in 
Electronic Publication, Internet Dreams: Archetypes, 
Myths, and Metaphors. Massachusetts Institute of -Technol- 
ogy, 1996, pp. 219-253. 

Mark Stefik, Chapter 7, Classification, Introduction to 
Knowledge Systems (Morgan Kaufmann Publishers, Inc., 
1995) pp. 543-607. 

Tom Stephenson, The Info Infrastructure Initiative: Data 
Super Highways and You, Advanced Imaging, May 1993, 
pp. 73-74. 

Bruce Sterling, Literary freeware: Not for Commercial Use, 
remarks at Computers, Freedom and Private Conference IV, 
Chicago, IL, Mar. 26, 1994. 

Bruno Struif, The Use of Chipcards for Electronic Signa- 
tures and Encryption, Proceedings for the 1989 Conference 
on VLSI and Computer Peripherals, IEEE Computer Society 
Press, 1989, pp. (4)155 -(4)158. 

J.D. Tygar and Bennet Yee, Cryptography: It's Not Just for 
Electronic Mail Anymore, CMU-CS-93-107, School of 
Computer Science Carnegie Mellon University, Pittsburgh, 
PA, Mar. 1, 1993, 21 pages. 

J.D. Tygar and Bennet Yee, Dyad: A System for Using 
Physically Secure Coprocessors, School of Computer Sci- 
ence, Carnegie Mellon University, Pittsburgh, PA (undated), 
41 pages. 

JJX Tygar and Bennet Yee, Dyad: A System for Using 
Physically Secure Coprocessors, School of Computer Sci- 
ence, Carnegie Mellon University, Pittsburgh, PA, May 
1991, 36 pages. 

T. Valovic, The Role of Computer Networking in the Emerg- 
ing Virtual Marketplace, Telecommunications, (undated), 
pp. 40-44. 

Joan Voight, Beyond the Banner, Wired, Dec. 1996, pp. 196, 
200, 204. 

Steven Vonder Haar, Document from the Internet: Power- 
Agent Launches Commercial Service, Interactive Week, 
Aug. 4, 1997, 1 page. 

Robert Weber, Metering Technologies for Digital Intellec- 
tual Property, A Report to the International Federation of 
Reproduction Rights Organisations (Boston, MA), Oct. 
1994, pp. 1-29. 

Robert Weber, Document from the Internet: Digital Rights 
Management Technologies, Oct. 1995, 21 pages. 
Robert Weber, Digital Rights Management Technologies, A 
Report to the International Federation of Reproduction 
Rights Organisations, Northeast Consulting Resources, Inc., 
Oct. 1995, 49 pages. 

Adele Weder, Life on the Infohighway, INSITE, (undated), 
pp. 23-25. 

Steve H. Weingart, Physical Security for the ABYSS System, 
(IBM Thomas J. Watson Research Center, Yorktown 
Heights, NY), 1987, pp. 52-58. 



Daniel J. Weitzner, A Statement on EFF's Open Platform 
Campaign as of Nov., 1993, 3 pages. 
Steve R. White, ABKSS: A Trusted Architecture for Software 
Protection, (IBM Thomas J. Watson Research Center, York- 
town Heights, NY), 1987, pp. 38-50. 
Bennet Yee, Using Secure Coprocessors, 
CMU-CS-94-149, School of Computer Science, Carnegie 
Mellon University, Pittsburgh, PA, 1994, 94 pages. 
Frank Yellin, Document from the Internet: Low Level Secu- 
rity in Java, Sun Microsystems, 1996, 8 pages. 
Symposium: Applications Requirements for Innovative 
Video Programming; How to Foster (or Cripple) Program 
Development Opportunities for Interactive Video Programs 
Delivered on Optical Media: A Challenge for the Introduc- 
tion of DVD (Digital Video Disc) -(Oct -19-20, 4995, 
Sheraton Universal Hotel, Universal City CA). 
Argent Information, Q&A Sheet, Document from the Inter- 
net: <http://www.digital-watermark.com/>, Copyright 

1995, The DICE Company, (last modified Jun. 16, 1996), 7 
pages. 

New Products, Systems and Services, AT&T Technology, 
vol. 9, No. 4, (undated), pp. 16-19. 

Cable Television and America's Telecommunications Infra- 
structure, (National Cable Television Association, Washing- 
ton, D.C.), Apr. 1993, 19 pages. 

CD ROM: Introducing ...The Workflow CD-ROM Sampler 
(Creative Networks, MCIMail: Creative Networks, Inc.), 
(undated). 

Codercard, Basic Coder Subsystem (Interstate Electronics 
Corp., Anaheim, CA), (undated) 4 pages. 
Collection of documents including: Protecting Electroni- 
cally Published Properties, Increasing Publishing Profits, 
(Electronic Publishing Resources Inc.,) Jan. 1993, 25 pages. 
Communications of the ACM, vol. 39, No. 6, Jun. 1996, 130 
pages. 

Communications of the ACM, "Intelligent Agents/' vol. 37, 
No. 7, Jul. 1994, 170 pages. 

Computer Systems Policy Project (CSSP), Perspectives on 
the National Information Infrastructure: Ensuring Interop- 
erability, Feb. 1994, 5 slides. 

DiscStore (Electronic Publishing Resources, Chevy Chase, 
MD), 1991. 

DSP56000/DSP56001 Digital Signal Processor User's 
Manual, (Motorola), 1990, p.2-2. 

A Supplement to Midrange Systems, Premenos Corp. White 
Paper: The Future of Electronic Commerce, Document from 
Internet: <webmaster@premenos.com>. Aug. 1995, 4 
pages. 

CGI Common Gateway Interface, Document from the Inter- 
net: <cgi@ncsa.uiuc.edu>, 1996, 1 page. 
HotJava™: The Security Story, Document from the Internet: 
(undated) 4 pages. 

About the Digital Notary Service, Document from the Inter- 
net: <info@surety.com>, (Surety Technologies), 1994-5, 6 
pages. 

Templar Overview: Premenos, Document from the Internet: 
<info@templar.net> (undated), 4 pages. 
Templar Software and Services, Secure, Reliable, Stan- 
dards- Based EDI Over the Internet: Document from the 
Internet: <info@templar.net.> (Premenos) (undated), 1 
page. 

JAVASOFT, Frequently Asked Questions— Applet Security, 
Document from Internet: <java@java.sun.com>, Jun. 7, 

1996, 8 pages. 



01/11/2004, EAST Version: 1.4.1 



US 6,658,568 Bl 

Page 7 



News from the Document Company XEROX, Xerox 
Announces Software Kit for Creating 'Working Documents' 
with Dataglyphs Document from Internet: Nov. 6, 1995, 13 
pages. 

Premenos Announces Templar 2.0— Next Generation Soft- 
ware for Secure Internet EDI, Document from Internet: 
<webmaster@templar.net>, Jan. 17, 1996, 1 page. 
WEPIN Store, Stenography (Hidden Writing), Document 
from Internet: (Common Law), 1995, 1 page. 
Sag's durch die Blume, Document from Internet: 
<marit@schulung.netuse.de.>(German), (undated), 5 pages. 
A Publication of the Electronic Frontier Foundation, EFFec- 
tor Online vol. 6 No. 6., Dec. 6, 1993, 8 pages. 
EIA and TIA White Paper on National Information Infra- 
structure; The Electronic Industries Association and the 
Telecommunications Industry Association, Washington, 
D.C., (undated). 

Electronic Currency Requirements, XIWT (Cross Industry 
Working Group), (undated). 

Electronic Publishing Resources Inc. Protecting Electroni- 
cally Published Properties Increasing Publishing Profits 
(Electronic Publishing Resources, Chevy Chase, MD) 1991, 
19 pages. 

What is Firefly*}, Document from the Internet: <www.ffly. 
com>, (Firefly Network, Inc.) Firefly revision: 41.4, (Copy- 
right 1995, 1996), 1 page. 

First CII Honeywell Bull International Symposium on Com- 
puter Security and Confidentiality, Conference Text, Jan. 
26-28, 1981, pp. 1-21. 

Framework for National Information Infrastructure Ser- 
vices, Draft, U.S. Department of Commerce, Jul. 1994. 
Framework for National Information Infrastructure Ser- 
vices, N1ST, Jul. 1994, 12 Slides. 

Intellectual Property and the National Information Infra- 
structure, a Preliminary Draft of the Report of the Working 
Group on Intellectual Property Rights, Green paper, Jul. 
1994, 141 pages. 

Multimedia Mixed Object Envelopes Supporting a Gradu- 
ated Fee Scheme Via Encryption, IBM Technical Disclosure 
Bulletin, vol. 37, No. 3, Mar. 1, 1994, pp. 413-417, 
XP000441522. 

Transformer Rules Strategy for Software Distribution 
Mechanism-Support Products, IBM Technical Disclosure 
Bulletin, vol. 37, No. 48, Apr. 1994, pp. 523-525, 
XP000451335. 

IISP Break Out Session Report for Group No. 3, Standards 
Development and Tracking System, (undated). 
Information Infrastructure Standards Panel: Nil "The Infor- 
mation Superhighway", NationsBank— HGDeal—ASC X9, 
(undated), 15 pages. 



InvoicelWhat's an Invoice!, Business Week, Jun. 10, 1996, 
pp. 110-112. 

Micro Card (Micro Card Technologies, Inc., Dallas, TX), 
(undated), 4 pages. 

Background on the Administration's Telecommunications 
Policy Reform Initiative, News Release, The White House, 
Office of the President, Jan. 11, 1994, 7 pages. 
Nil, Architecture Requirements, XIWT, (undated). 
Symposium: Open System Environment Architectural 
Framework for National Information Infrastructure Ser- 
vices and Standards, in Support of National Class Distrib- 
uted Systems, Distributed System Engineering Program 
Sponsor Group, Draft 1.0, Aug. 5, 1994, 34 pages. 
Proper Use of Consumer Information on the Internet, Docu- 
ment from the Internet, White Paper/ (PowerAgent Inc., 
Menlo Park, CA) Jun. 1997, 9 pages. 
What the Experts are Reporting on PowerAgent, Document 
from the Internet, PowerAgent Press Releases, Aug. 13, 
1997, 6 pages. 

What the Experts are Reporting on PowerAgent, Document 
from the Internet, PowerAgent Press Releases, Aug. 4, 1997, 
5 pages. 

Portland Software's Ziplock, Internet Information, Copy- 
right Portland Software 1996-1997, 12 pages. 
Press Release, National Semiconductor and EPR Partner for 
Information Metering/Data Security Cards (Mar. 4, 1994). 
R01 (Personal Library Software, 1987 or 1988). 
R01 — Solving Critical Electronics Publishing Problems 
(Personal Library Software, 1987 or 1988). 
Serving the Community: A Public Interest Vision of the 
National Information Infrastructure, Computer Profession- 
als for Social Responsibility, Executive Summary (undated). 
Special Report, The Internet: Fulfilling the Promise; Lynch, 
Clifford, The Internet Bringing Order from Chaos; Resnick, 
Paul, Search the Internet, Hearst, Marti A., Filtering Infor- 
mation on the Internet, Stefik, Mark, Interfaces for Search- 
ing the Web; Scientific American, Mar. 1997, pp. 49-56, 
62^67, 68-72, 78-81. 

The 1:1 Future of the Electronic Marketplace: Return to a 
Hunting and Gathering Society, (undated), 2 pages. 
The Benefits of RDI for Database Protection and usage 
Based Billing (Personal Library Software, 1987 or 1988). 
The New Alexandria No. 1, Alexandria Institute, Jul.-Aug. 
1986, pp. 1-12. 

Is Advertising Really Dead?, Wired 1.02, Part 2, 1994. 
How Can I Put an Access Counter on My Home Page?, 
World Wide Web FAQ, 1996, 1 page. 
XIWT Cross Industry Working Team, Jul. 1994, 5 pages. 



01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 1 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec 2,20«3 



Sheet 2 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent oec.2,20«3 



Sheet 4 off 99 



US (5,658,568 Bl 




01/11/2004, EAST Version: 



1.4.1 




01/11/2004, EAST Version: 1.4.1 



Dec 2, 2003 



Sheet 6 of 99 



US 6,658,568 




01/11/2004, EAST Version: 1.4.1 



U„§- Paitanlt Dec.2,20fl«3 Sheet 7 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2,20fl$ Sheet 8 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 



Sheet 9 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



Uo§. Pafoeimt Dec. 2, 2003 Sheet 10 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 11 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoSo Pattern* 



Dec. 2, 2003 



Sheet 12 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patenntt 



Dec. 2, 2003 Sheet 13 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoSo Patemft Dec. 2, 2003 Sheet 14 of 99 



US 6,658,5158 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patonnt Dec. 2, 20®3 Sheet 15 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 



1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 16 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoSo Patent 



Pec. 2, 20®3 



Sheet 17 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Paltemtt 



Dec. 2, 2003 Sheet 18 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoSo PfflfoMntt Dec 2, 2003 Sheet 19 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Pffltonlt Dec. 2, 2003 Sheet 20 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec 2, 2009 



Sheet 21 of 99 



US <5,<658,5<fi>8 Bl 




01/11/2004, EAST Version: 1.4.1 




01/11/2004, EAST Version: 1.4.1 



U.S. Pateimtt 



Dec. 2, 2003 



Sheet 23 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Fattenntt Dec. 2, 20«3 Sheet 24 of 99 118 6,(558,515811 




01/11/2004, EAST Version: 1.4.1 



U.So Pfflttenntt Dec. 2, 2003 Sheet 25 of 99 US (5,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Pffltennt Dec. 2, 2003 Sheet 26 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. PffltoMt Dec. 2, 2003 Sheet 27 of 99 US 6,(558,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U„§„ Patt®mt Dec. 2, 2003 Sheet 28 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 Sheet 29 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Fatonntt 



Dec. 2, 2003 



Sheet 30 of 99 



US 6,(558,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 31 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec 2, 2003 Sheet 32 of 99 US 6,658,568 Bl 





01/11/2004, EAST Version: 1.4.1 



UoSo Patent 



Dec. 2, 2003 Sheet 33 of 99 



US 6,658,568 Bl 



m 

S 



o 



IN- 



ILL 



S1N3INM0HIAN3 

owiavui 

30Vd$M38A3 



1N3W39VNVW 
A3M3U«n3 

3IN0cU33T3 



r— 

E cc 

LU O 
O 



SU30HO 
3IM0di33T3 



NOLM03IJ3 

* woiiwuiauv 



NOUVHMIN! 
SS300«d 

ss3Nisna 



AU3ATI3G 
3HHD3S 



l(E 



N(Mina3X3 3 
SM0liVU003N 
iOVUlWOO t= 



i 

cd 



£13 

o 



Ul CD 



CO 



o 

gE <t 
o p 
o 



CO UJ 

ii 



LU S 



LU S 



lM3l«TIUlftJ B 
3SVH0Und 
S3181DSW1M1 



u^ramunru & 

3SVHD«nd 
S319I9WJ. 



li 



S339AU3S 
AU0133Uia 
3UH03S 



A1M0H10V 
31V0HULM33 



3SnOH9M1bV3TO 
SN0ISSM3d 
3S1H3IH 



o 
co pi 



CD 



co 

a 



o 
o 



3SnOH9MIW313 

30vsn 



3SnOHDNIOT3T3 



3 



CD 



LU 
CD CO 

p CD 

DC < 



co 
O 



CD 
z CO 
— . CO 

LU iii 

CO " 

cc 2 
^l? 



O CD 
O LU 



— CO 
CD 

= L±J 

Q 5 



So 

CC 

a_ 

O 
o 



CD 

"S 



So 



O 3Z 



CD 
DC ZD 



-I 

O co 



o°c 
o 



oc § 
a. S 
cc oc 

LU UJ 



ii 

-J ^ 

u_ < 
fc- QC 



CO 

cd fcr 
<5 

Q LU 

o § 

o S 
uj S 
cc 

Q 



CD 
*J ^ 
>- CO 
CO 

|s 

LU Q_ 

i£ 

Q CO 



2= CD 



Lt 

CO o 
cc 

LU 



ID 

o 

cc 



o 

Cu 
O 
CC 
CL. 



UJ S 

cc £ 
=> z 

UJ CD 
CC 



ct a 
S co 
o 6/3 

8- 

o 
cc 



"1 



CD 



LU CC 



QC O 




co 
cc 



co Lu 

£7 UJ 

co 

=3 



Q CO 



CO 
UJ 

El 

CO UJ 



21 
co Lu 
co cd 

2| 

CL. S 
o0 LU 
tO 

^2 



o3 
o ^ 

p CO 

5 co 
uj uj 

cc o 
o ° 

_L cc 

-1 Q- 



O 

si 

O o 
O z 

" o 



o z 

3 °« 



6S 

z co 

LU CC 
CC LU 
CC 

So 



05 

H- CC 
<C uj 
2 Z 

go 



CO 

Is 

P LU 

O LU 
LU CD 
I— <C 



Si 

CC LU 
<C CO 

^ cc 



a 



LU *C 

^ CD 



CL CD 

s 



|s 

LU CO 
CC CO 

0 <c 

S£ 

o S 
o Lu 
*c a 



co 
co 

5S 

O LU 

o S 

— z 

_ CD 

S co 
o co 



CD 



CD lu 

- O 

o 
cc 

LU UJ 

sl 



o 

5 



o 

CD 



CC 

3 o 

op 

= LU 

cc u 
I— 

o 



o 

LU CC 

CD O 
O 3Z 



o 

Lu CD 

^ LU 

is 

CO 
Q 



SB 



*~ CD 
CO «t 



1 CD 



01/11/2004, EAST Version: 1.4.1 



UoSc Patent Dec. 2, 2003 Sheet 34 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Bee. 2,2<MB Sheet 35 of 99 US 6,658,568 Bl 




01/11/2004, 



EAST Version: 1.4.1 



UoSo Patennt 



Dec. 2, 20®3 



Sheet 36 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 37 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



VoSo PataWt Dec. 2, 2003 Sheet 38 of 99 



US 6,658,568 Bl 




01/11/2004, 



EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 



Sheet 39 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patont 



Dec. 2, 2003 



Sheet 40 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoSo Patent Dec. 2, 2003 Sheet 41 of 99 



US 6,658,5(58 Bl 




01/11/2004, EAST Version: 1.4.1 



U,§. Patemt 



Pec. 2, 2008 Sheet 42 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Palteiinlt 



Dec 2, 2003 



Sheet 43 of 99 



US 6,658,5(68 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 



Sheet 44 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 45 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



I 

U.S. Ptoteimt Dec. 2, 2003 Sheet 46 of 99 115(5,658,56811 




01/11/2004, EAST Version: 1.4.1 



U.S. Patau* 



Dec. 2, 2003 



Sheet 47 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patau 



Dec 2, 2003 



Sheet 4$ of 99 



US 6,658,568 Bl 




AAA & A 



0 

A 




B 

A 





CM 


CO 






CD 


> 


> 


> 




> 




















i- 




1— 


O 


o 


O 


o 


O 


o 


O 


o 


O 


o 


O 


o 


< 


< 


< 


< 


< 


< 




CM 


CO 




m 


CO 


1X1 


LU 


UJ 


UJ 


UJ 


UJ 


HI 


LU 


LU 


HI 


LU 


UJ 












>- 










$ 


< 


CL 


CL 


CL 


Q. 


0. 


CL 



1"^ 

> 



3fc 

h- 

O 



LU 
LU 

CL 



co 
> 



CO 
LU 
UJ 
>- 
< 
Q. 



CD 

> 



O 
O 
< 



LU 
LU 
>- 
< 
CL 







> 




=lfc 




f- 




o 




o 




< 








LU 




UJ 












CL 






o 



C3 
C3 
UJ 
E 

< 
CO 

Q 

UJ 



^0 



01/11/2004, EAST Version: 1.4.1 



U.S. Pattemt 



Dec. 2, 2003 Sheet 49 of 99 



US 6,658,568 Bl 



Example Payment and 
Redistribution Scenario 



164 



AUTHOR'S 
PPE 




SECOND 
AUTHOR'S 
PPE 

y 



164 A 



THIRD 
AUTHOR'S 
PPE 



1 164B 



01/11/2004, EAST Version: 1.4.1 



U.S. Patennt Dec. 2, 2003 Sheet 50 of 99 



US 6,658,568 Bl 



F0< 



S Example Super Distribution 






DOWNSTREAM 
CUSTOMER 


L. 

DOWNSTREAM 
CUSTOMER 

\ 


95(8) / 



01/11/2004, EAST Version: 1.4.1 



U.S. Pattern* 



Dec 2, 2003 Sheet 51 of 99 US 6,658,568 Bl 





01/11/2004, EAST Version: 1.4.1 



UoSo Patanlt Dec. 2, 201B Sheet 52 of 99 US 6,658,568 Bl 



z 
< 

Q_ 

O 

H 
GC 

z 
< 

X 

o 

t 3 

m < 
uj > 

° . o 

Q J h 
LU 

z 

LU 



Q_ 
O 
\— 
DC 
< 
CL 

Z 
< 

o 

c6 W 



< 
£L 

O 



< 
0 
III 
CC 
O 
CD 
< 



CO 
LU 

Q A O 

UJ 



> 



Q- 



UJ 
CC 
CD 
O 
< 



HI 



CO 
LU 
Q 

Q 

LU 

CD 

UJ 

oc 
o 

s 



2 
O 

P 



UJ 
DC 

a 
< 

H 
LU 



< 
CL 

UJ 
-1 
VL 

s 

UJ 





01/11/2004, EAST Version: 1.4.1 



UoSo Patent 



Dec* 2, 2003 



Sheet 53 of 99 



US 6,658,568 Bl 



Q 
LU 

cc 
o 

Q 
LU 

o 

w 

ec 

3 



Q 
W 

DC 
O 

s 

o 

LU 

CC 

C5 
CD 
< 



Q 
UJ 
DC 
O 

Q 
UJ 

a 

UJ 

DC 
O 
(!) 

< 




C 

o 

o 2 
c< 

s-§ 

O E 

— > 

a a 

o o. 

It 
s 

Ui 



SP 3 



BL 



o 

CO 

z 
< 

DC 

^ 

CC 
LU 
CO 
3 





CM 






z 




z 


1 


o 


O 


o 




















< 


< 


< 




CO 


CO 


CO 




z 


Z 


z 




< 


< 


< 




CE 




cc 




H 


1- 


"1 





CVI 


co 


z 


z 


z 


o 


O 


O 








& 






< 


< 


< 


(0 


CO 


CO 




z 




1 


< 






cc 


cc 









o o o 



CO 

z 
o 

& 

< 
CO 

z 

H 

CO 

z 

DC 
LU 
CO 
3 





CM 




z 


z 


z 


o 


o 


o 




h- 






o 




< 


< 


< 


CO 


CO 


co 




z 


z 




< 


< 


CC 


cc 


cc 









01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 



Sheet 54 of 99 



US 6,658,568 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 



Sheet 55 of 99 



US 6,658,568 Bl 




01/11/2004, 



EAST Version: 1.4.1 




01/11/2004, EAST Version: 1.4.1 



UoSo PateMlt Dec 2, 2003 Sheet 57 of 99 US 6,658,568 Bl 





01/11/2004, EAST Version: 1.4.1 



U.S. Pattern* 



Dec. 2, 2003 



Sheet 59 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Pec. 2, 2003 Sheet 60 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Pffltenntt Dec 2, 2003 Sheet 61 of 99 US 6,658,568 




01/11/2004, EAST Version: 1.4.1 



U.S. PfflttemHt Dec.2,20€S 



Sheet 62 of 99 



US 6,658,5(58 Bl 




01/11/2004, 



EAST Version: 1.4.1 



VoSo Patenntt Dec. 2, 2MB Sheet 63 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoS. P&temtt Dec 2, 2G03 Sheet 64 of 99 US 6,658,5(58 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 



Sheet 65 of 99 



US 6,658,568 Bl 




FD@ D 

Consumer Registers Control Set 
To Request Updates 



01/11/2004, EAST Version: 1.4.1 



U.S. Patenut 



Dec. 2, 20®3 



Sheet (56 of 99 



US (6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



I 

U.S. PffltaUt Dec. 2, 2003 Sheet 67 of 99 US 6,658,568 Bl 






UJ 

CL 



(0 

E f 

DC g 

(0 



U ~ J ' 
4) O 
CC I- 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 68 of 99 US 6,658,568 Bl 



PERMSStOM^TYPE 



f UNCOND. C0ND.0N CONTENT UNCOND. 

ACTION PERMIT PAYMENT BASED PROHIBIT 



PRICING MODELS 



450 



VIEW 
TITLE 


✓ 










VIEW 
ABSTRACT 












MODIFY 
TITLE 










■ ■ ■ ■ 


REDIS- 
TRIBUTE 














BACKUP 




✓ 






ONE 
TIME 
PURCH. 


PAY 
PER 
ACTION 


DECL 
COST 




























^^^^^^^^^ 




























VIEW 
CONTENT 




✓ 






ONE 
TIME 
PURCH. 


PAY 

PER 
VIEW 


DECL 
COST 




PRINT 
CONTENT 




✓ 






ONE 
TIME 
PURCH. 


PAY 
PER 
PRINT 


DECL 
COST 





FIG. 45A EXAMPLE RIGHTS TEMPLATE 



188 



VIEW TITLE CONTROL 



VIEW ABSTRACT CONTROL 



MODIFY TITLE CONTROL 



REDISTRIBUTE CONTROL 



BACKUP CONTROL 



J88(1) 

.188(2) 

-188(3) 

.188(4) 
-188(5) 




VIEW CONTENT CONTROL 



PRINT CONTENT CONTROL 



„188(N-1) 
-188(N) 



FIG- 45C EXAMPLE CONTROL SET 



01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 



Sheet 69 of 99 



US 6,658,568 Bl 




FIG. 45B PRICING MODELS AND LEVELS 



01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 



Sheet 70 of 99 



US 6,658,568 Bl 



FIG. 46 Example Rights And Permissions 
Clearing Process 



C START J 



RIGHTS AND PERMISSIONS 
CLEARINGHOUSE OR 

RIGHTS HOLDER 
DEFINES TEMPLATE 



I 452(1) 

T 



RIGHTS HOLDER RLLS IN 
TEMPLATE TO DEFINE 
PERMISSIONS 
GRANTED AND WITHHELD, 
PRICING MODEL AND PRICING LEVELS 




452(2) 



RIGHTS HOLDER 
ASSOCIATES PERMISSIONS 
WITH OBJECT 




452(3) 



RIGHTS HOLDER 
CONVEYS PERMISSIONS 
WITH OR SEPARATELY 
FROM OBJECT 



STORE PERMS! 

M 

PBiMtSSIOt 


SIGN IN RIGHTS I 
ID 

ISARCMVE 






RIGHTS AND PERMISSIONS 
CLEARINGHOUSE PROVIDES [ 
PREAUTHORGED PERMISSIONS 
FROM ARCHIVE 
TO USERS 




452(4) 





452(5) 



SEND PERMISSIONS 
TO USERS 



USERS REQUEST AND 
PREAUTHORKZED PERMISSIONS 
FROM RIGHTS AND PERMISSIONS | 
CLEARINGHOUSE 



01/11/2004, EAST Version: 1.4.1 



VoSo Pfflteimtt Dec. 2, 2003 Sheet 71 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U,§„ Patent 



Dec. 2, 2003 Sheet 72 of 99 US 6,658,568 Bl 




0» 

c 

BL uj < 



01/11/2004, EAST Version: 1.4.1 



Uo§o Patent Dec 2, 2003 Sheet 73 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 74 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



Ue§o PfflttenMt Dec. 2, 2003 Sheet 75 of 99 US 6,658,568 




01/11/2004, EAST Version: 1.4.1 



U.S. PfflfoMMt Dec. 2, 2003 Sheet 76 of 99 US <&,(p58,5iS8 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 77 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec 2, 2003 



Sheet 78 of 99 



US 6,658,568 Bl 



FIG. 51 F 



CONDITIONS OF USE 



188 



VALUE 



564- 

566(1 )4_ SIGNATURE 1 



o 
O 

o 



566(N1^ SIGNATURE N 



OTHER 
INFORMATION 

568 



CERTIFICATE 1 f 



_ 504(1) 



o 
o 
o 



CERTIFICATE N 



r 



504(N) 



152 



01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 79 of 99 



US 6,658,568 Bl 



c 



START 



I 



3 



FIG. 51 G 



NEGOTIATE CONTROL INFORMATION GOVERNING 
PARTICIPANT ACTION 



T 



570 



SELECT A RANDOM VALUE 

i 



^J--572 



MAKE VIRTUAL ENTITY CERTIRCATE INFORMATION 

BY ASSOCIATING RANDOM VALUE WITH OTHER 
INFORMATION 



DIGITALLY SIGN VIRTUAL ENTITY 
CERTIFICATE INFORMATION 



MAKE CONTAINER USING CONTROL 
INFORMATION, CERTIRCATE INFORMATION AND 
PARTICIPANT CERTIRCATE 



"—1-578 




TRANSMIT COMPLETED] 
CONTAINER TO ALL 
PARTICIPANTS 



1 



TRANSMIT CONTAINER I 



DONE 



J 



X 



ACCESS CONTAINER -f-584 

— r 



VAUDATE 



^j-586 



DIGITALLY SIGN VIRTUAL ENTITY 
CERTIRCATE INFORMATION 



ADD/REPLACE CERTIRCATE INFO 



ADD PARTICIPANT CERTIRCATE 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 80 of 99 US 6,658,568 Bl 



FIG. 51 H 



C 



REQUEST 



WRITE AUDIT RECORD 



594A 



EVALUATE REQUEST USING 
CONDITIONS OF USE 




ACCESS VIRTUAL ENTITY VALUE 
FROM CONTAINER 







DISABLE 
FURTHER USE 



WRITE 
ADDITIONAL 
AUDIT 



USE CONTROL INFORMATION ASSOCIATED WITH 
CONDITIONS OF USE TO FULFILL REQUEST 
AND PERFORM CONSEQUENCES 



^594! 
^ 'sTOP J* 



01/11/2004, EAST Version: 1.4.1 



U.S. Patenntt Dec. 2, 2003 



Sheet 81 of 99 



US 6,658,568 Bl 



g "a "g a 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec 2, 2003 Sheet 82 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoSo Pffltemlt Dec. 2, 2003 Sheet 83 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.So Patonit 



Dec. 2, 2003 



Sheet 84 of 99 



US 6,(558,568 Bl 




01/11/2004, 



EAST Version: 1.4.1 



Uo§. Patent Dec. 2, 2003 Sheet 85 of 99 US (5,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Pattemilt 



Dec. 2, 2003 



Sheet 86 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 87 of 99 



US 6,658,568 Bl 



FIG. 58A 

Forming a Control 
Superset 




164(2) 




164(N) 




188(1) 



152(1) 



152(2) 



188(2) 



152< 



(N)-~^ 




188(N) 



TRANSACTION 
AUTHORITY 
700 



m 
r 
m 
o 

H 
33 
O 
Z 

o 

m 
w 
O 



H 
O 



a 

o 

31 

z 
m 

o 
o 

H 

5 



5 

o 
o 



188x 




188y 



798 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 88 of 99 US 6,658,568 Bl 



FIG. 58B Transaction Authority Example Steps 



RECEIVE CONTROL SET GOVERNING 
BUSINESS REQUIREMENTS, LIMITATIONS, 
& PROCESSES 



750 



RECEIVE CONTROL SET THAT AGGREGATES 
ELEMENTS OF OTHER CONTROL SETS INTO 
PROCESSES WITH REQUIREMENTS & LIMITATIONS 



752 



754 



STORE 



3^ 



RECEIVE EVENT REQUIRING PROCESSING 



-v 756 



ACTIVATE TRANSACTION CONTROL SET 



DELIVER CONTROL SET PORTIONS 
TO 1ST RECIPIENT (REPEAT) 



758 



760 



X 



762 



MONITOR EVENTS RECEIVED USING 
CONTROL SET 



766 



PROCESS ERROR EVENT 
IN CONTROL SET 




DONE 



CRITICAL ERROR 
HANDLING 



01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec 2, 2003 Sheet 89 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.So Patamtt 



Dec. 2, 2003 



Sheet 90 of 99 



US 6,658,568 Bl 



c 



START 



r 



6002 



CONTAINER FORWARDED 
TO SECURITY CHECKPOINT 
SYSTEM 



REQUIREMENTS 
„ SATISFIED? 




6008 



PERFORM 'REQUIREMENTS 
NOT SATISFIED" 
CONSEQUENCES 



PERFORM "REQUIREMENTS 
| SATISFIED" CONSEQUENCES 



ADDITIONAL 
COMMUNICATIONS 
REQUIRED? 




1 


Y 

i s~ 


1 TRANSMIT TO NEXT SYSTEM 






RECEIVED BY NEXT SYSTEM \ 

L _ ■ 1 







6012 



6014 



N 



IS A SECURITY 
CHECKPOINT SYSTEM? 



601S 



01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec. 2, 2003 



Sheet 91 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



UoS. Patemut 



Dec 2, 2003 



Sheet 92 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



Uo§ 0 Patent 



Pec. 2, 2<MB 



Sheet 93 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 




01/11/2004, EAST Version: 1.4.1 



U 0 § 0 Patterns 



Dec. 2, 2003 



Sheet 95 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 96 of 99 



US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent Dec. 2, 2003 Sheet 97 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 




01/11/2004, EAST Version: 1.4.1 



U.S. Patent 



Dec 2, 2003 Sheet 99 of 99 US 6,658,568 Bl 




01/11/2004, EAST Version: 1.4.1 



